[Samba] winbindd/mod_auth_ntlm_winbind.so fail to use workstation credentials (NTLM+SPNEGO) - Samba

This is a discussion on [Samba] winbindd/mod_auth_ntlm_winbind.so fail to use workstation credentials (NTLM+SPNEGO) - Samba ; Hallo, We protect linux/apache server with mod_auth_ntlm_winbind.so to authenticate users with their domain accounts. The server is joined into windows domain (Windows 2003 Server). Apache/mod_auth_ntlm_winbind.so is configured for NTLM+SPNEGO authentication. So far users can login when providing valid credentials. Users ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: [Samba] winbindd/mod_auth_ntlm_winbind.so fail to use workstation credentials (NTLM+SPNEGO)

  1. [Samba] winbindd/mod_auth_ntlm_winbind.so fail to use workstation credentials (NTLM+SPNEGO)

    Hallo,

    We protect linux/apache server with mod_auth_ntlm_winbind.so to
    authenticate users with their domain accounts. The server is joined into
    windows domain (Windows 2003 Server). Apache/mod_auth_ntlm_winbind.so is
    configured for NTLM+SPNEGO authentication. So far users can login when
    providing valid credentials.

    Users login into their windows workstation (Windows XP SP2 IE/Firefox)
    with local accounts (not domain accounts) and access applications from
    Internet, because they normally work outside the office. Local account
    name/password matches domain account name/password. Thus we supposed to
    provide a Single Signon between workstation and web applications.
    Browsers when properly configured (IE -> [x] Integrated Windows
    Authentication+site in the Intranet Zone, Firefox ->
    network.automatic-ntlm-auth.trusted-uris,
    network.negotiate-auth.trusted-uris settings) can forward users local
    account credentials to the web server. This seamless authentication
    works fine with IIS but fails with winbindd/mod_auth_ntlm_winbind.so
    with error 500 (both IE and Firefox)

    Apache log:
    [Wed Apr 18 15:20:02 2007] [info] Initial (No.1) HTTPS request received
    for child 3 (server intradev.haching.lan:443)
    [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(482): [client
    192.168.31.39] Launched ntlm_helper, pid 3745
    [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(652): [client
    192.168.31.39] creating auth user
    [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
    192.168.31.39] parsing reply from helper to YR
    TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAA AADw==\n
    [2007/04/18 15:20:02, 1] utils/ntlm_auth.c:manage_gss_spnego_request(1110)
    [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(741): [client
    192.168.31.39] got response: BH
    [Wed Apr 18 15:20:02 2007] [error] [client 192.168.31.39] (2)No such
    file or directory: failed to parse response from helper
    [Wed Apr 18 15:20:02 2007] [info] Connection to child 3 closed with
    unclean shutdown(server intradev.haching.lan:443, client 192.168.31.39)

    Winbindd log.
    [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
    child daemon request 19
    [2007/04/18 15:20:01, 3]
    nsswitch/winbindd_misc.c:winbindd_dual_list_trusted_domains (121)
    [ 3698]: list trusted domains
    [2007/04/18 15:20:01, 3]
    nsswitch/winbindd_misc.c:winbindd_interface_version(491)
    [ 0]: request interface version
    [2007/04/18 15:20:01, 3]
    nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
    [ 0]: request location of privileged pipe
    [2007/04/18 15:20:01, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1134)
    [ 0]: getgroups root
    [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
    child daemon request 21
    [2007/04/18 15:20:01, 3]
    nsswitch/winbindd_async.c:winbindd_dual_lookupname(721)
    [ 3698]: lookupname HACHING\root
    [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
    child daemon request 42
    [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
    child daemon request 54
    [2007/04/18 15:20:01, 3]
    nsswitch/winbindd_async.c:winbindd_dual_getsidaliases(950)
    [ 3698]: getsidaliases
    ....

    "getgroups root" is already strange here. And there is no HACHING\root
    user. where does it come from? Of course winbind cannot lookup this
    name. Once again, authentication fail only when URL set as the browser's
    trusted site. When I take the site out of browser's trusted site list
    and login explicitly with the same account, everything is fine:

    Apache
    [Wed Apr 18 15:40:15 2007] [info] Initial (No.1) HTTPS request received
    for child 0 (server intradev.haching.lan:443)
    [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(1018):
    [client 192.168.31.39] doing ntlm auth dance
    [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(482): [client
    192.168.31.39] Launched ntlm_helper, pid 3823
    [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(652): [client
    192.168.31.39] creating auth user
    [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
    192.168.31.39] parsing reply from helper to YR
    TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=\n
    [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(741): [client
    192.168.31.39] got response: TT
    TlRMTVNTUAACAAAADgAOADAAAAAFgokAugsuTuGQirUAAAAAAA AAAHAAcAA+AAAASABBAEMASABJAE4ARwACAA4ASABBAEMASABJ AE4ARwABABAASQBOAFQAUgBBAEQARQBWAAQAFgBoAGEAYwBoAG kAbgBnAC4AbABhAG4AAwAoAGkAbgB0AHIAYQBkAGUAdgAuAGgA YQBjAGgAaQBuAGcALgBsAGEAbgAAAAAA
    [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(411): [client
    192.168.31.39] sending back
    TlRMTVNTUAACAAAADgAOADAAAAAFgokAugsuTuGQirUAAAAAAA AAAHAAcAA+AAAASABBAEMASABJAE4ARwACAA4ASABBAEMASABJ AE4ARwABABAASQBOAFQAUgBBAEQARQBWAAQAFgBoAGEAYwBoAG kAbgBnAC4AbABhAG4AAwAoAGkAbgB0AHIAYQBkAGUAdgAuAGgA YQBjAGgAaQBuAGcALgBsAGEAbgAAAAAA
    [Wed Apr 18 15:40:15 2007] [info] Subsequent (No.2) HTTPS request
    received for child 0 (server intradev.haching.lan:443)
    [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(1018):
    [client 192.168.31.39] doing ntlm auth dance
    [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(484): [client
    192.168.31.39] Using existing auth helper 3823
    [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
    192.168.31.39] parsing reply from helper to KK
    TlRMTVNTUAADAAAAGAAYAFYAAAAYABgAbgAAAAAAAABAAAAADA AMAEAAAAAKAAoATAAAAAAAAAAAAAAABYIIAHMAdAByAGkAZwBv AE0ASQBOAFMASwD+aA0tazQbRgAAAAAAAAAAAAAAAAAAAAD0zO 38BWoCtpXTgGPJMKm63kcbe4fTWd4=\n
    [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(741): [client
    192.168.31.39] got response: AF testuser
    [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(787): [client
    192.168.31.39] authenticated testuser
    [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(961): [client
    192.168.31.39] retaining user testuser
    [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(962): [client
    192.168.31.39] keepalives: 1

    Winbind:
    [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.crs_uint8(615)
    0132 id_auth[4] : 00
    [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.crs_uint8(615)
    0133 id_auth[5] : 05
    [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.crs_uint32s(991)
    0134 sub_auths : 00000015 e39fded7 4e0574bc 369b5347
    [2007/04/18 15:40:15, 5]
    nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1800)
    Setting unix username to [testuser]
    [2007/04/18 15:40:15, 5]
    nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1848)
    NTLM CRAP authentication for user [HACHING]\[testuser] returned
    NT_STATUS_OK (PAM: 0)

    Below is some configuration info

    Web Server: Suse 10, Apache 2.0.58, winbindd 3.0.24

    smb.conf
    [global]
    usershare allow guests = No
    workgroup = HACHING
    realm = HACHING.LAN
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    security = domain
    #password server = sun.haching.lan
    winbind use default domain = yes

    mod_auth_ntlm_winbind.so configuration
    AuthName "NTLM Authentication thingy"
    NTLMAuth on
    NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
    NegotiateAuth on
    NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego"
    NTLMBasicAuthoritative on
    AuthType Negotiate
    AuthType NTLM
    require valid-user

    Tests like net rpc testjoin, wbinfo -u, wbinfo -g, ntlm_auth
    --username=testuser
    are ok.

    Any ideas are welcome,

    regards,
    Serguei
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] winbindd/mod_auth_ntlm_winbind.so fail to use workstation credentials (NTLM+SPNEGO)

    Hello,

    there was a patch on samba-technical "[PATCH] mod_auth_ntlm_winbind - new
    feature to omit domain name from username". Maybe this patch helps for your
    problem?

    Cheers
    Stefan

    Am Mittwoch, 18. April 2007 15:52 schrieb Serguei:
    > Hallo,
    >
    > We protect linux/apache server with mod_auth_ntlm_winbind.so to
    > authenticate users with their domain accounts. The server is joined into
    > windows domain (Windows 2003 Server). Apache/mod_auth_ntlm_winbind.so is
    > configured for NTLM+SPNEGO authentication. So far users can login when
    > providing valid credentials.
    >
    > Users login into their windows workstation (Windows XP SP2 IE/Firefox)
    > with local accounts (not domain accounts) and access applications from
    > Internet, because they normally work outside the office. Local account
    > name/password matches domain account name/password. Thus we supposed to
    > provide a Single Signon between workstation and web applications.
    > Browsers when properly configured (IE -> [x] Integrated Windows
    > Authentication+site in the Intranet Zone, Firefox ->
    > network.automatic-ntlm-auth.trusted-uris,
    > network.negotiate-auth.trusted-uris settings) can forward users local
    > account credentials to the web server. This seamless authentication
    > works fine with IIS but fails with winbindd/mod_auth_ntlm_winbind.so
    > with error 500 (both IE and Firefox)
    >
    > Apache log:
    > [Wed Apr 18 15:20:02 2007] [info] Initial (No.1) HTTPS request received
    > for child 3 (server intradev.haching.lan:443)
    > [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(482): [client
    > 192.168.31.39] Launched ntlm_helper, pid 3745
    > [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(652): [client
    > 192.168.31.39] creating auth user
    > [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
    > 192.168.31.39] parsing reply from helper to YR
    > TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAA AADw==\n
    > [2007/04/18 15:20:02, 1] utils/ntlm_auth.c:manage_gss_spnego_request(1110)
    > [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(741): [client
    > 192.168.31.39] got response: BH
    > [Wed Apr 18 15:20:02 2007] [error] [client 192.168.31.39] (2)No such
    > file or directory: failed to parse response from helper
    > [Wed Apr 18 15:20:02 2007] [info] Connection to child 3 closed with
    > unclean shutdown(server intradev.haching.lan:443, client 192.168.31.39)
    >
    > Winbindd log.
    > [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
    > child daemon request 19
    > [2007/04/18 15:20:01, 3]
    > nsswitch/winbindd_misc.c:winbindd_dual_list_trusted_domains (121)
    > [ 3698]: list trusted domains
    > [2007/04/18 15:20:01, 3]
    > nsswitch/winbindd_misc.c:winbindd_interface_version(491)
    > [ 0]: request interface version
    > [2007/04/18 15:20:01, 3]
    > nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
    > [ 0]: request location of privileged pipe
    > [2007/04/18 15:20:01, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1134)
    > [ 0]: getgroups root
    > [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
    > child daemon request 21
    > [2007/04/18 15:20:01, 3]
    > nsswitch/winbindd_async.c:winbindd_dual_lookupname(721)
    > [ 3698]: lookupname HACHING\root
    > [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
    > child daemon request 42
    > [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
    > child daemon request 54
    > [2007/04/18 15:20:01, 3]
    > nsswitch/winbindd_async.c:winbindd_dual_getsidaliases(950)
    > [ 3698]: getsidaliases
    > ...
    >
    > "getgroups root" is already strange here. And there is no HACHING\root
    > user. where does it come from? Of course winbind cannot lookup this
    > name. Once again, authentication fail only when URL set as the browser's
    > trusted site. When I take the site out of browser's trusted site list
    > and login explicitly with the same account, everything is fine:
    >
    > Apache
    > [Wed Apr 18 15:40:15 2007] [info] Initial (No.1) HTTPS request received
    > for child 0 (server intradev.haching.lan:443)
    > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(1018):
    > [client 192.168.31.39] doing ntlm auth dance
    > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(482): [client
    > 192.168.31.39] Launched ntlm_helper, pid 3823
    > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(652): [client
    > 192.168.31.39] creating auth user
    > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
    > 192.168.31.39] parsing reply from helper to YR
    > TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=\n
    > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(741): [client
    > 192.168.31.39] got response: TT
    > TlRMTVNTUAACAAAADgAOADAAAAAFgokAugsuTuGQirUAAAAAAA AAAHAAcAA+AAAASABBAEMASAB
    >JAE4ARwACAA4ASABBAEMASABJAE4ARwABABAASQBOAFQAUgBBA EQARQBWAAQAFgBoAGEAYwBoAGk
    >AbgBnAC4AbABhAG4AAwAoAGkAbgB0AHIAYQBkAGUAdgAuAGgAY QBjAGgAaQBuAGcALgBsAGEAbgA
    >AAAAA [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(411):
    > [client 192.168.31.39] sending back
    > TlRMTVNTUAACAAAADgAOADAAAAAFgokAugsuTuGQirUAAAAAAA AAAHAAcAA+AAAASABBAEMASAB
    >JAE4ARwACAA4ASABBAEMASABJAE4ARwABABAASQBOAFQAUgBBA EQARQBWAAQAFgBoAGEAYwBoAGk
    >AbgBnAC4AbABhAG4AAwAoAGkAbgB0AHIAYQBkAGUAdgAuAGgAY QBjAGgAaQBuAGcALgBsAGEAbgA
    >AAAAA [Wed Apr 18 15:40:15 2007] [info] Subsequent (No.2) HTTPS request
    > received for child 0 (server intradev.haching.lan:443)
    > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(1018):
    > [client 192.168.31.39] doing ntlm auth dance
    > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(484): [client
    > 192.168.31.39] Using existing auth helper 3823
    > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
    > 192.168.31.39] parsing reply from helper to KK
    > TlRMTVNTUAADAAAAGAAYAFYAAAAYABgAbgAAAAAAAABAAAAADA AMAEAAAAAKAAoATAAAAAAAAAA
    >AAAAABYIIAHMAdAByAGkAZwBvAE0ASQBOAFMASwD+aA0tazQbR gAAAAAAAAAAAAAAAAAAAAD0zO3
    >8BWoCtpXTgGPJMKm63kcbe4fTWd4=\n [Wed Apr 18 15:40:15 2007] [debug]
    > mod_auth_ntlm_winbind.c(741): [client 192.168.31.39] got response: AF
    > testuser
    > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(787): [client
    > 192.168.31.39] authenticated testuser
    > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(961): [client
    > 192.168.31.39] retaining user testuser
    > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(962): [client
    > 192.168.31.39] keepalives: 1
    >
    > Winbind:
    > [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.crs_uint8(615)
    > 0132 id_auth[4] : 00
    > [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.crs_uint8(615)
    > 0133 id_auth[5] : 05
    > [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.crs_uint32s(991)
    > 0134 sub_auths : 00000015 e39fded7 4e0574bc 369b5347
    > [2007/04/18 15:40:15, 5]
    > nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1800)
    > Setting unix username to [testuser]
    > [2007/04/18 15:40:15, 5]
    > nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1848)
    > NTLM CRAP authentication for user [HACHING]\[testuser] returned
    > NT_STATUS_OK (PAM: 0)
    >
    > Below is some configuration info
    >
    > Web Server: Suse 10, Apache 2.0.58, winbindd 3.0.24
    >
    > smb.conf
    > [global]
    > usershare allow guests = No
    > workgroup = HACHING
    > realm = HACHING.LAN
    > idmap uid = 10000-20000
    > idmap gid = 10000-20000
    > security = domain
    > #password server = sun.haching.lan
    > winbind use default domain = yes
    >
    > mod_auth_ntlm_winbind.so configuration
    > AuthName "NTLM Authentication thingy"
    > NTLMAuth on
    > NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
    > NegotiateAuth on
    > NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego"
    > NTLMBasicAuthoritative on
    > AuthType Negotiate
    > AuthType NTLM
    > require valid-user
    >
    > Tests like net rpc testjoin, wbinfo -u, wbinfo -g, ntlm_auth
    > --username=testuser
    > are ok.
    >
    > Any ideas are welcome,
    >
    > regards,
    > Serguei


    --
    Stefan Gohmann Entwicklung gohmann@univention.de
    Univention GmbH Linux for your Business fon: +49 421 22 232- 0
    Mary-Somerville-Str.1 28359 Bremen fax: +49 421 22 232-99
    http://www.univention.de
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] winbindd/mod_auth_ntlm_winbind.so fail to use workstation credentials (NTLM+SPNEGO)

    Stefan Gohmann schrieb:
    > Hello,
    >
    > there was a patch on samba-technical "[PATCH] mod_auth_ntlm_winbind - new
    > feature to omit domain name from username". Maybe this patch helps for your
    > problem?
    >
    > Cheers
    > Stefan
    >
    > Am Mittwoch, 18. April 2007 15:52 schrieb Serguei:
    >
    >> Hallo,
    >>
    >> We protect linux/apache server with mod_auth_ntlm_winbind.so to
    >> authenticate users with their domain accounts. The server is joined into
    >> windows domain (Windows 2003 Server). Apache/mod_auth_ntlm_winbind.so is
    >> configured for NTLM+SPNEGO authentication. So far users can login when
    >> providing valid credentials.
    >>
    >> Users login into their windows workstation (Windows XP SP2 IE/Firefox)
    >> with local accounts (not domain accounts) and access applications from
    >> Internet, because they normally work outside the office. Local account
    >> name/password matches domain account name/password. Thus we supposed to
    >> provide a Single Signon between workstation and web applications.
    >> Browsers when properly configured (IE -> [x] Integrated Windows
    >> Authentication+site in the Intranet Zone, Firefox ->
    >> network.automatic-ntlm-auth.trusted-uris,
    >> network.negotiate-auth.trusted-uris settings) can forward users local
    >> account credentials to the web server. This seamless authentication
    >> works fine with IIS but fails with winbindd/mod_auth_ntlm_winbind.so
    >> with error 500 (both IE and Firefox)
    >>
    >> Apache log:
    >> [Wed Apr 18 15:20:02 2007] [info] Initial (No.1) HTTPS request received
    >> for child 3 (server intradev.haching.lan:443)
    >> [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(482): [client
    >> 192.168.31.39] Launched ntlm_helper, pid 3745
    >> [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(652): [client
    >> 192.168.31.39] creating auth user
    >> [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
    >> 192.168.31.39] parsing reply from helper to YR
    >> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAA AADw==\n
    >> [2007/04/18 15:20:02, 1] utils/ntlm_auth.c:manage_gss_spnego_request(1110)
    >> [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(741): [client
    >> 192.168.31.39] got response: BH
    >> [Wed Apr 18 15:20:02 2007] [error] [client 192.168.31.39] (2)No such
    >> file or directory: failed to parse response from helper
    >> [Wed Apr 18 15:20:02 2007] [info] Connection to child 3 closed with
    >> unclean shutdown(server intradev.haching.lan:443, client 192.168.31.39)
    >>
    >> Winbindd log.
    >> [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
    >> child daemon request 19
    >> [2007/04/18 15:20:01, 3]
    >> nsswitch/winbindd_misc.c:winbindd_dual_list_trusted_domains (121)
    >> [ 3698]: list trusted domains
    >> [2007/04/18 15:20:01, 3]
    >> nsswitch/winbindd_misc.c:winbindd_interface_version(491)
    >> [ 0]: request interface version
    >> [2007/04/18 15:20:01, 3]
    >> nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
    >> [ 0]: request location of privileged pipe
    >> [2007/04/18 15:20:01, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1134)
    >> [ 0]: getgroups root
    >> [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
    >> child daemon request 21
    >> [2007/04/18 15:20:01, 3]
    >> nsswitch/winbindd_async.c:winbindd_dual_lookupname(721)
    >> [ 3698]: lookupname HACHING\root
    >> [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
    >> child daemon request 42
    >> [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
    >> child daemon request 54
    >> [2007/04/18 15:20:01, 3]
    >> nsswitch/winbindd_async.c:winbindd_dual_getsidaliases(950)
    >> [ 3698]: getsidaliases
    >> ...
    >>
    >> "getgroups root" is already strange here. And there is no HACHING\root
    >> user. where does it come from? Of course winbind cannot lookup this
    >> name. Once again, authentication fail only when URL set as the browser's
    >> trusted site. When I take the site out of browser's trusted site list
    >> and login explicitly with the same account, everything is fine:
    >>
    >> Apache
    >> [Wed Apr 18 15:40:15 2007] [info] Initial (No.1) HTTPS request received
    >> for child 0 (server intradev.haching.lan:443)
    >> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(1018):
    >> [client 192.168.31.39] doing ntlm auth dance
    >> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(482): [client
    >> 192.168.31.39] Launched ntlm_helper, pid 3823
    >> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(652): [client
    >> 192.168.31.39] creating auth user
    >> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
    >> 192.168.31.39] parsing reply from helper to YR
    >> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=\n
    >> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(741): [client
    >> 192.168.31.39] got response: TT
    >> TlRMTVNTUAACAAAADgAOADAAAAAFgokAugsuTuGQirUAAAAAAA AAAHAAcAA+AAAASABBAEMASAB
    >> JAE4ARwACAA4ASABBAEMASABJAE4ARwABABAASQBOAFQAUgBBA EQARQBWAAQAFgBoAGEAYwBoAGk
    >> AbgBnAC4AbABhAG4AAwAoAGkAbgB0AHIAYQBkAGUAdgAuAGgAY QBjAGgAaQBuAGcALgBsAGEAbgA
    >> AAAAA [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(411):
    >> [client 192.168.31.39] sending back
    >> TlRMTVNTUAACAAAADgAOADAAAAAFgokAugsuTuGQirUAAAAAAA AAAHAAcAA+AAAASABBAEMASAB
    >> JAE4ARwACAA4ASABBAEMASABJAE4ARwABABAASQBOAFQAUgBBA EQARQBWAAQAFgBoAGEAYwBoAGk
    >> AbgBnAC4AbABhAG4AAwAoAGkAbgB0AHIAYQBkAGUAdgAuAGgAY QBjAGgAaQBuAGcALgBsAGEAbgA
    >> AAAAA [Wed Apr 18 15:40:15 2007] [info] Subsequent (No.2) HTTPS request
    >> received for child 0 (server intradev.haching.lan:443)
    >> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(1018):
    >> [client 192.168.31.39] doing ntlm auth dance
    >> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(484): [client
    >> 192.168.31.39] Using existing auth helper 3823
    >> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
    >> 192.168.31.39] parsing reply from helper to KK
    >> TlRMTVNTUAADAAAAGAAYAFYAAAAYABgAbgAAAAAAAABAAAAADA AMAEAAAAAKAAoATAAAAAAAAAA
    >> AAAAABYIIAHMAdAByAGkAZwBvAE0ASQBOAFMASwD+aA0tazQbR gAAAAAAAAAAAAAAAAAAAAD0zO3
    >> 8BWoCtpXTgGPJMKm63kcbe4fTWd4=\n [Wed Apr 18 15:40:15 2007] [debug]
    >> mod_auth_ntlm_winbind.c(741): [client 192.168.31.39] got response: AF
    >> testuser
    >> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(787): [client
    >> 192.168.31.39] authenticated testuser
    >> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(961): [client
    >> 192.168.31.39] retaining user testuser
    >> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(962): [client
    >> 192.168.31.39] keepalives: 1
    >>
    >> Winbind:
    >> [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.crs_uint8(615)
    >> 0132 id_auth[4] : 00
    >> [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.crs_uint8(615)
    >> 0133 id_auth[5] : 05
    >> [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.crs_uint32s(991)
    >> 0134 sub_auths : 00000015 e39fded7 4e0574bc 369b5347
    >> [2007/04/18 15:40:15, 5]
    >> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1800)
    >> Setting unix username to [testuser]
    >> [2007/04/18 15:40:15, 5]
    >> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1848)
    >> NTLM CRAP authentication for user [HACHING]\[testuser] returned
    >> NT_STATUS_OK (PAM: 0)
    >>
    >> Below is some configuration info
    >>
    >> Web Server: Suse 10, Apache 2.0.58, winbindd 3.0.24
    >>
    >> smb.conf
    >> [global]
    >> usershare allow guests = No
    >> workgroup = HACHING
    >> realm = HACHING.LAN
    >> idmap uid = 10000-20000
    >> idmap gid = 10000-20000
    >> security = domain
    >> #password server = sun.haching.lan
    >> winbind use default domain = yes
    >>
    >> mod_auth_ntlm_winbind.so configuration
    >> AuthName "NTLM Authentication thingy"
    >> NTLMAuth on
    >> NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
    >> NegotiateAuth on
    >> NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego"
    >> NTLMBasicAuthoritative on
    >> AuthType Negotiate
    >> AuthType NTLM
    >> require valid-user
    >>
    >> Tests like net rpc testjoin, wbinfo -u, wbinfo -g, ntlm_auth
    >> --username=testuser
    >> are ok.
    >>
    >> Any ideas are welcome,
    >>
    >> regards,
    >> Serguei
    >>

    >
    >

    Thanks for the hint, Stefan.

    Unfortunately the patch didn't help. The problem occurs early with the
    first SPNEGO message (YR)
    That's what both IE and Firefox send to a "trusted" site as the first
    negotiation message, winbind fails with empty BH message
    TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAA AADw==
    And this message is sent to the same site in "untrusted" mode, which
    ends with successful interactive authentication:
    TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=

    regards,
    Serguei
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread