[Samba] winbindd/mod_auth_ntlm_winbind.so fail to use workstation
credentials (NTLM+SPNEGO)
Stefan Gohmann
gohmann at univention.de
Thu Apr 19 06:02:58 GMT 2007
Hello,
there was a patch on samba-technical "[PATCH] mod_auth_ntlm_winbind - new
feature to omit domain name from username". Maybe this patch helps for your
problem?
Cheers
Stefan
Am Mittwoch, 18. April 2007 15:52 schrieb Serguei:
> Hallo,
>
> We protect linux/apache server with mod_auth_ntlm_winbind.so to
> authenticate users with their domain accounts. The server is joined into
> windows domain (Windows 2003 Server). Apache/mod_auth_ntlm_winbind.so is
> configured for NTLM+SPNEGO authentication. So far users can login when
> providing valid credentials.
>
> Users login into their windows workstation (Windows XP SP2 IE/Firefox)
> with local accounts (not domain accounts) and access applications from
> Internet, because they normally work outside the office. Local account
> name/password matches domain account name/password. Thus we supposed to
> provide a Single Signon between workstation and web applications.
> Browsers when properly configured (IE -> [x] Integrated Windows
> Authentication+site in the Intranet Zone, Firefox ->
> network.automatic-ntlm-auth.trusted-uris,
> network.negotiate-auth.trusted-uris settings) can forward users local
> account credentials to the web server. This seamless authentication
> works fine with IIS but fails with winbindd/mod_auth_ntlm_winbind.so
> with error 500 (both IE and Firefox)
>
> Apache log:
> [Wed Apr 18 15:20:02 2007] [info] Initial (No.1) HTTPS request received
> for child 3 (server intradev.haching.lan:443)
> [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(482): [client
> 192.168.31.39] Launched ntlm_helper, pid 3745
> [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(652): [client
> 192.168.31.39] creating auth user
> [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
> 192.168.31.39] parsing reply from helper to YR
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==\n
> [2007/04/18 15:20:02, 1] utils/ntlm_auth.c:manage_gss_spnego_request(1110)
> [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(741): [client
> 192.168.31.39] got response: BH
> [Wed Apr 18 15:20:02 2007] [error] [client 192.168.31.39] (2)No such
> file or directory: failed to parse response from helper
> [Wed Apr 18 15:20:02 2007] [info] Connection to child 3 closed with
> unclean shutdown(server intradev.haching.lan:443, client 192.168.31.39)
>
> Winbindd log.
> [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
> child daemon request 19
> [2007/04/18 15:20:01, 3]
> nsswitch/winbindd_misc.c:winbindd_dual_list_trusted_domains(121)
> [ 3698]: list trusted domains
> [2007/04/18 15:20:01, 3]
> nsswitch/winbindd_misc.c:winbindd_interface_version(491)
> [ 0]: request interface version
> [2007/04/18 15:20:01, 3]
> nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
> [ 0]: request location of privileged pipe
> [2007/04/18 15:20:01, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1134)
> [ 0]: getgroups root
> [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
> child daemon request 21
> [2007/04/18 15:20:01, 3]
> nsswitch/winbindd_async.c:winbindd_dual_lookupname(721)
> [ 3698]: lookupname HACHING\root
> [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
> child daemon request 42
> [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
> child daemon request 54
> [2007/04/18 15:20:01, 3]
> nsswitch/winbindd_async.c:winbindd_dual_getsidaliases(950)
> [ 3698]: getsidaliases
> ...
>
> "getgroups root" is already strange here. And there is no HACHING\root
> user. where does it come from? Of course winbind cannot lookup this
> name. Once again, authentication fail only when URL set as the browser's
> trusted site. When I take the site out of browser's trusted site list
> and login explicitly with the same account, everything is fine:
>
> Apache
> [Wed Apr 18 15:40:15 2007] [info] Initial (No.1) HTTPS request received
> for child 0 (server intradev.haching.lan:443)
> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(1018):
> [client 192.168.31.39] doing ntlm auth dance
> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(482): [client
> 192.168.31.39] Launched ntlm_helper, pid 3823
> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(652): [client
> 192.168.31.39] creating auth user
> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
> 192.168.31.39] parsing reply from helper to YR
> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=\n
> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(741): [client
> 192.168.31.39] got response: TT
> TlRMTVNTUAACAAAADgAOADAAAAAFgokAugsuTuGQirUAAAAAAAAAAHAAcAA+AAAASABBAEMASAB
>JAE4ARwACAA4ASABBAEMASABJAE4ARwABABAASQBOAFQAUgBBAEQARQBWAAQAFgBoAGEAYwBoAGk
>AbgBnAC4AbABhAG4AAwAoAGkAbgB0AHIAYQBkAGUAdgAuAGgAYQBjAGgAaQBuAGcALgBsAGEAbgA
>AAAAA [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(411):
> [client 192.168.31.39] sending back
> TlRMTVNTUAACAAAADgAOADAAAAAFgokAugsuTuGQirUAAAAAAAAAAHAAcAA+AAAASABBAEMASAB
>JAE4ARwACAA4ASABBAEMASABJAE4ARwABABAASQBOAFQAUgBBAEQARQBWAAQAFgBoAGEAYwBoAGk
>AbgBnAC4AbABhAG4AAwAoAGkAbgB0AHIAYQBkAGUAdgAuAGgAYQBjAGgAaQBuAGcALgBsAGEAbgA
>AAAAA [Wed Apr 18 15:40:15 2007] [info] Subsequent (No.2) HTTPS request
> received for child 0 (server intradev.haching.lan:443)
> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(1018):
> [client 192.168.31.39] doing ntlm auth dance
> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(484): [client
> 192.168.31.39] Using existing auth helper 3823
> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
> 192.168.31.39] parsing reply from helper to KK
> TlRMTVNTUAADAAAAGAAYAFYAAAAYABgAbgAAAAAAAABAAAAADAAMAEAAAAAKAAoATAAAAAAAAAA
>AAAAABYIIAHMAdAByAGkAZwBvAE0ASQBOAFMASwD+aA0tazQbRgAAAAAAAAAAAAAAAAAAAAD0zO3
>8BWoCtpXTgGPJMKm63kcbe4fTWd4=\n [Wed Apr 18 15:40:15 2007] [debug]
> mod_auth_ntlm_winbind.c(741): [client 192.168.31.39] got response: AF
> testuser
> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(787): [client
> 192.168.31.39] authenticated testuser
> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(961): [client
> 192.168.31.39] retaining user testuser
> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(962): [client
> 192.168.31.39] keepalives: 1
>
> Winbind:
> [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint8(615)
> 0132 id_auth[4] : 00
> [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint8(615)
> 0133 id_auth[5] : 05
> [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint32s(991)
> 0134 sub_auths : 00000015 e39fded7 4e0574bc 369b5347
> [2007/04/18 15:40:15, 5]
> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1800)
> Setting unix username to [testuser]
> [2007/04/18 15:40:15, 5]
> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1848)
> NTLM CRAP authentication for user [HACHING]\[testuser] returned
> NT_STATUS_OK (PAM: 0)
>
> Below is some configuration info
>
> Web Server: Suse 10, Apache 2.0.58, winbindd 3.0.24
>
> smb.conf
> [global]
> usershare allow guests = No
> workgroup = HACHING
> realm = HACHING.LAN
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> security = domain
> #password server = sun.haching.lan
> winbind use default domain = yes
>
> mod_auth_ntlm_winbind.so configuration
> AuthName "NTLM Authentication thingy"
> NTLMAuth on
> NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
> NegotiateAuth on
> NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego"
> NTLMBasicAuthoritative on
> AuthType Negotiate
> AuthType NTLM
> require valid-user
>
> Tests like net rpc testjoin, wbinfo -u, wbinfo -g, ntlm_auth
> --username=testuser
> are ok.
>
> Any ideas are welcome,
>
> regards,
> Serguei
--
Stefan Gohmann Entwicklung gohmann at univention.de
Univention GmbH Linux for your Business fon: +49 421 22 232- 0
Mary-Somerville-Str.1 28359 Bremen fax: +49 421 22 232-99
http://www.univention.de
More information about the samba
mailing list