[Samba] winbindd/mod_auth_ntlm_winbind.so fail to use workstation credentials (NTLM+SPNEGO)

Stefan Gohmann gohmann at univention.de
Thu Apr 19 06:02:58 GMT 2007


Hello,

there was a patch on samba-technical "[PATCH] mod_auth_ntlm_winbind - new 
feature to omit domain name from username". Maybe this patch helps for your 
problem?

Cheers
Stefan

Am Mittwoch, 18. April 2007 15:52 schrieb Serguei:
> Hallo,
>
> We protect linux/apache server with mod_auth_ntlm_winbind.so to
> authenticate users with their domain accounts. The server is joined into
> windows domain (Windows 2003 Server). Apache/mod_auth_ntlm_winbind.so is
> configured for NTLM+SPNEGO authentication. So far users can login when
> providing valid credentials.
>
> Users login into their windows workstation (Windows XP SP2 IE/Firefox)
> with local accounts (not domain accounts) and access applications from
> Internet, because they normally work outside the office. Local account
> name/password matches domain account name/password. Thus we supposed to
> provide a Single Signon between workstation and web applications.
> Browsers when properly configured (IE -> [x] Integrated Windows
> Authentication+site in the Intranet Zone, Firefox ->
> network.automatic-ntlm-auth.trusted-uris,
> network.negotiate-auth.trusted-uris settings) can forward users local
> account credentials to the web server. This seamless authentication
> works fine with IIS but fails with winbindd/mod_auth_ntlm_winbind.so
> with error 500 (both IE and Firefox)
>
> Apache log:
> [Wed Apr 18 15:20:02 2007] [info] Initial (No.1) HTTPS request received
> for child 3 (server intradev.haching.lan:443)
> [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(482): [client
> 192.168.31.39] Launched ntlm_helper, pid 3745
> [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(652): [client
> 192.168.31.39] creating auth user
> [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
> 192.168.31.39] parsing reply from helper to YR
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==\n
> [2007/04/18 15:20:02, 1] utils/ntlm_auth.c:manage_gss_spnego_request(1110)
> [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(741): [client
> 192.168.31.39] got response: BH
> [Wed Apr 18 15:20:02 2007] [error] [client 192.168.31.39] (2)No such
> file or directory: failed to parse response from helper
> [Wed Apr 18 15:20:02 2007] [info] Connection to child 3 closed with
> unclean shutdown(server intradev.haching.lan:443, client 192.168.31.39)
>
> Winbindd log.
> [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
>   child daemon request 19
> [2007/04/18 15:20:01, 3]
> nsswitch/winbindd_misc.c:winbindd_dual_list_trusted_domains(121)
>   [ 3698]: list trusted domains
> [2007/04/18 15:20:01, 3]
> nsswitch/winbindd_misc.c:winbindd_interface_version(491)
>   [    0]: request interface version
> [2007/04/18 15:20:01, 3]
> nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
>   [    0]: request location of privileged pipe
> [2007/04/18 15:20:01, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1134)
>   [    0]: getgroups root
> [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
>   child daemon request 21
> [2007/04/18 15:20:01, 3]
> nsswitch/winbindd_async.c:winbindd_dual_lookupname(721)
>   [ 3698]: lookupname HACHING\root
> [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
>   child daemon request 42
> [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
>   child daemon request 54
> [2007/04/18 15:20:01, 3]
> nsswitch/winbindd_async.c:winbindd_dual_getsidaliases(950)
>   [ 3698]: getsidaliases
> ...
>
> "getgroups root" is already strange here. And there is no HACHING\root
> user. where does it come from? Of course winbind cannot lookup this
> name. Once again, authentication fail only when URL set as the browser's
> trusted site. When I take the site out of browser's trusted site list
> and login explicitly with the same account, everything is fine:
>
> Apache
> [Wed Apr 18 15:40:15 2007] [info] Initial (No.1) HTTPS request received
> for child 0 (server intradev.haching.lan:443)
> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(1018):
> [client 192.168.31.39] doing ntlm auth dance
> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(482): [client
> 192.168.31.39] Launched ntlm_helper, pid 3823
> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(652): [client
> 192.168.31.39] creating auth user
> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
> 192.168.31.39] parsing reply from helper to YR
> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=\n
> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(741): [client
> 192.168.31.39] got response: TT
> TlRMTVNTUAACAAAADgAOADAAAAAFgokAugsuTuGQirUAAAAAAAAAAHAAcAA+AAAASABBAEMASAB
>JAE4ARwACAA4ASABBAEMASABJAE4ARwABABAASQBOAFQAUgBBAEQARQBWAAQAFgBoAGEAYwBoAGk
>AbgBnAC4AbABhAG4AAwAoAGkAbgB0AHIAYQBkAGUAdgAuAGgAYQBjAGgAaQBuAGcALgBsAGEAbgA
>AAAAA [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(411):
> [client 192.168.31.39] sending back
> TlRMTVNTUAACAAAADgAOADAAAAAFgokAugsuTuGQirUAAAAAAAAAAHAAcAA+AAAASABBAEMASAB
>JAE4ARwACAA4ASABBAEMASABJAE4ARwABABAASQBOAFQAUgBBAEQARQBWAAQAFgBoAGEAYwBoAGk
>AbgBnAC4AbABhAG4AAwAoAGkAbgB0AHIAYQBkAGUAdgAuAGgAYQBjAGgAaQBuAGcALgBsAGEAbgA
>AAAAA [Wed Apr 18 15:40:15 2007] [info] Subsequent (No.2) HTTPS request
> received for child 0 (server intradev.haching.lan:443)
> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(1018):
> [client 192.168.31.39] doing ntlm auth dance
> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(484): [client
> 192.168.31.39] Using existing auth helper 3823
> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
> 192.168.31.39] parsing reply from helper to KK
> TlRMTVNTUAADAAAAGAAYAFYAAAAYABgAbgAAAAAAAABAAAAADAAMAEAAAAAKAAoATAAAAAAAAAA
>AAAAABYIIAHMAdAByAGkAZwBvAE0ASQBOAFMASwD+aA0tazQbRgAAAAAAAAAAAAAAAAAAAAD0zO3
>8BWoCtpXTgGPJMKm63kcbe4fTWd4=\n [Wed Apr 18 15:40:15 2007] [debug]
> mod_auth_ntlm_winbind.c(741): [client 192.168.31.39] got response: AF
> testuser
> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(787): [client
> 192.168.31.39] authenticated testuser
> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(961): [client
> 192.168.31.39] retaining user testuser
> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(962): [client
> 192.168.31.39] keepalives: 1
>
> Winbind:
> [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint8(615)
>               0132 id_auth[4] : 00
> [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint8(615)
>               0133 id_auth[5] : 05
> [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint32s(991)
>               0134 sub_auths : 00000015 e39fded7 4e0574bc 369b5347
> [2007/04/18 15:40:15, 5]
> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1800)
>   Setting unix username to [testuser]
> [2007/04/18 15:40:15, 5]
> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1848)
>   NTLM CRAP authentication for user [HACHING]\[testuser] returned
> NT_STATUS_OK (PAM: 0)
>
> Below is some configuration info
>
> Web Server: Suse 10, Apache 2.0.58, winbindd 3.0.24
>
> smb.conf
> [global]
>         usershare allow guests = No
>         workgroup = HACHING
>         realm = HACHING.LAN
>         idmap uid = 10000-20000
>         idmap gid = 10000-20000
>         security = domain
>         #password server = sun.haching.lan
>         winbind use default domain = yes
>
> mod_auth_ntlm_winbind.so configuration
>   AuthName "NTLM Authentication thingy"
>   NTLMAuth on
>   NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
>   NegotiateAuth on
>   NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego"
>   NTLMBasicAuthoritative on
>   AuthType Negotiate
>   AuthType NTLM
>   require valid-user
>
> Tests like net rpc testjoin, wbinfo -u, wbinfo -g, ntlm_auth
> --username=testuser
> are ok.
>
> Any ideas are welcome,
>
> regards,
> Serguei

-- 
Stefan Gohmann         Entwicklung              gohmann at univention.de
Univention GmbH        Linux for your Business  fon: +49 421 22 232- 0
Mary-Somerville-Str.1  28359 Bremen             fax: +49 421 22 232-99
                       http://www.univention.de


More information about the samba mailing list