[Samba] winbindd/mod_auth_ntlm_winbind.so fail to use workstation
credentials (NTLM+SPNEGO)
Serguei
public at wolke7.net
Wed Apr 18 13:52:15 GMT 2007
Hallo,
We protect linux/apache server with mod_auth_ntlm_winbind.so to
authenticate users with their domain accounts. The server is joined into
windows domain (Windows 2003 Server). Apache/mod_auth_ntlm_winbind.so is
configured for NTLM+SPNEGO authentication. So far users can login when
providing valid credentials.
Users login into their windows workstation (Windows XP SP2 IE/Firefox)
with local accounts (not domain accounts) and access applications from
Internet, because they normally work outside the office. Local account
name/password matches domain account name/password. Thus we supposed to
provide a Single Signon between workstation and web applications.
Browsers when properly configured (IE -> [x] Integrated Windows
Authentication+site in the Intranet Zone, Firefox ->
network.automatic-ntlm-auth.trusted-uris,
network.negotiate-auth.trusted-uris settings) can forward users local
account credentials to the web server. This seamless authentication
works fine with IIS but fails with winbindd/mod_auth_ntlm_winbind.so
with error 500 (both IE and Firefox)
Apache log:
[Wed Apr 18 15:20:02 2007] [info] Initial (No.1) HTTPS request received
for child 3 (server intradev.haching.lan:443)
[Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(482): [client
192.168.31.39] Launched ntlm_helper, pid 3745
[Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(652): [client
192.168.31.39] creating auth user
[Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
192.168.31.39] parsing reply from helper to YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==\n
[2007/04/18 15:20:02, 1] utils/ntlm_auth.c:manage_gss_spnego_request(1110)
[Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(741): [client
192.168.31.39] got response: BH
[Wed Apr 18 15:20:02 2007] [error] [client 192.168.31.39] (2)No such
file or directory: failed to parse response from helper
[Wed Apr 18 15:20:02 2007] [info] Connection to child 3 closed with
unclean shutdown(server intradev.haching.lan:443, client 192.168.31.39)
Winbindd log.
[2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
child daemon request 19
[2007/04/18 15:20:01, 3]
nsswitch/winbindd_misc.c:winbindd_dual_list_trusted_domains(121)
[ 3698]: list trusted domains
[2007/04/18 15:20:01, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
[ 0]: request interface version
[2007/04/18 15:20:01, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
[ 0]: request location of privileged pipe
[2007/04/18 15:20:01, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1134)
[ 0]: getgroups root
[2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
child daemon request 21
[2007/04/18 15:20:01, 3]
nsswitch/winbindd_async.c:winbindd_dual_lookupname(721)
[ 3698]: lookupname HACHING\root
[2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
child daemon request 42
[2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
child daemon request 54
[2007/04/18 15:20:01, 3]
nsswitch/winbindd_async.c:winbindd_dual_getsidaliases(950)
[ 3698]: getsidaliases
...
"getgroups root" is already strange here. And there is no HACHING\root
user. where does it come from? Of course winbind cannot lookup this
name. Once again, authentication fail only when URL set as the browser's
trusted site. When I take the site out of browser's trusted site list
and login explicitly with the same account, everything is fine:
Apache
[Wed Apr 18 15:40:15 2007] [info] Initial (No.1) HTTPS request received
for child 0 (server intradev.haching.lan:443)
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(1018):
[client 192.168.31.39] doing ntlm auth dance
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(482): [client
192.168.31.39] Launched ntlm_helper, pid 3823
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(652): [client
192.168.31.39] creating auth user
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
192.168.31.39] parsing reply from helper to YR
TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=\n
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(741): [client
192.168.31.39] got response: TT
TlRMTVNTUAACAAAADgAOADAAAAAFgokAugsuTuGQirUAAAAAAAAAAHAAcAA+AAAASABBAEMASABJAE4ARwACAA4ASABBAEMASABJAE4ARwABABAASQBOAFQAUgBBAEQARQBWAAQAFgBoAGEAYwBoAGkAbgBnAC4AbABhAG4AAwAoAGkAbgB0AHIAYQBkAGUAdgAuAGgAYQBjAGgAaQBuAGcALgBsAGEAbgAAAAAA
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(411): [client
192.168.31.39] sending back
TlRMTVNTUAACAAAADgAOADAAAAAFgokAugsuTuGQirUAAAAAAAAAAHAAcAA+AAAASABBAEMASABJAE4ARwACAA4ASABBAEMASABJAE4ARwABABAASQBOAFQAUgBBAEQARQBWAAQAFgBoAGEAYwBoAGkAbgBnAC4AbABhAG4AAwAoAGkAbgB0AHIAYQBkAGUAdgAuAGgAYQBjAGgAaQBuAGcALgBsAGEAbgAAAAAA
[Wed Apr 18 15:40:15 2007] [info] Subsequent (No.2) HTTPS request
received for child 0 (server intradev.haching.lan:443)
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(1018):
[client 192.168.31.39] doing ntlm auth dance
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(484): [client
192.168.31.39] Using existing auth helper 3823
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
192.168.31.39] parsing reply from helper to KK
TlRMTVNTUAADAAAAGAAYAFYAAAAYABgAbgAAAAAAAABAAAAADAAMAEAAAAAKAAoATAAAAAAAAAAAAAAABYIIAHMAdAByAGkAZwBvAE0ASQBOAFMASwD+aA0tazQbRgAAAAAAAAAAAAAAAAAAAAD0zO38BWoCtpXTgGPJMKm63kcbe4fTWd4=\n
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(741): [client
192.168.31.39] got response: AF testuser
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(787): [client
192.168.31.39] authenticated testuser
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(961): [client
192.168.31.39] retaining user testuser
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(962): [client
192.168.31.39] keepalives: 1
Winbind:
[2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint8(615)
0132 id_auth[4] : 00
[2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint8(615)
0133 id_auth[5] : 05
[2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint32s(991)
0134 sub_auths : 00000015 e39fded7 4e0574bc 369b5347
[2007/04/18 15:40:15, 5]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1800)
Setting unix username to [testuser]
[2007/04/18 15:40:15, 5]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1848)
NTLM CRAP authentication for user [HACHING]\[testuser] returned
NT_STATUS_OK (PAM: 0)
Below is some configuration info
Web Server: Suse 10, Apache 2.0.58, winbindd 3.0.24
smb.conf
[global]
usershare allow guests = No
workgroup = HACHING
realm = HACHING.LAN
idmap uid = 10000-20000
idmap gid = 10000-20000
security = domain
#password server = sun.haching.lan
winbind use default domain = yes
mod_auth_ntlm_winbind.so configuration
AuthName "NTLM Authentication thingy"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NegotiateAuth on
NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego"
NTLMBasicAuthoritative on
AuthType Negotiate
AuthType NTLM
require valid-user
Tests like net rpc testjoin, wbinfo -u, wbinfo -g, ntlm_auth
--username=testuser
are ok.
Any ideas are welcome,
regards,
Serguei
More information about the samba
mailing list