Re: [Samba] Automatic Integrated Windows Auth (IWA) in firefox &nautilus - Samba

This is a discussion on Re: [Samba] Automatic Integrated Windows Auth (IWA) in firefox &nautilus - Samba ; On Fri, Jul 11, 2008 at 10:57:39AM +0800, Dikan Xing wrote: > Hi, all > > My problem is concerning Automatic Integrated Windows Auth (IWA). > > I've successfully on my ubuntu > a) joined a Windows domains (by net ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: [Samba] Automatic Integrated Windows Auth (IWA) in firefox &nautilus

  1. Re: [Samba] Automatic Integrated Windows Auth (IWA) in firefox &nautilus

    On Fri, Jul 11, 2008 at 10:57:39AM +0800, Dikan Xing wrote:
    > Hi, all
    >
    > My problem is concerning Automatic Integrated Windows Auth (IWA).
    >
    > I've successfully on my ubuntu
    > a) joined a Windows domains (by net join -S),
    > b) list domain users (by wbinfo -u),
    > c) logined gnome with a domain user (domain\username).
    >
    > What drives me to do all this is to expect
    > 1) my firefox automatically answers ntlm (a.k.a. iwa, integrated windows auth) when
    > I visit an Outlook Web Access site. (network.automatic-ntlm-auth.trusted-uris is set to proper value, which works in Windows)
    > 2) nautilus automatically login when I visit a share folder inside the domain
    > (by addresss starting smb://machine/folder.///)
    >
    > But neither works.
    >
    > Firefox prompt for username & password when I visit an Exchange site using IWA.
    > nautilus still prompt for password although he auto correctly fills the name & domain field.
    >
    > Is this a configuration problem of samba?
    > or that the implementation of firefox & nautilus take charge and they haven't implemented?


    We fixed this in SuSE when I was working for Novell by the
    use of helpers in firefox that would invoke the ntlm_auth
    code for old IIS servers that only use NTLM instead of
    kerberos. Winbindd has to have a credential cache set up
    from login in order to create the NTLMSSP blobs for firefox.
    Note sure of the state of that code integrated into the
    firefox shipped by Ubuntu - I know it's in the openSuSE
    one.

    Nautilus could use the same code (although I believe that
    uses krb5 tickets by preference).

    You might want to raise this one with launchpad. I can
    help them integrate the same code that was done for
    SuSE is they haven't already done it.

    The argument to ntlm_auth is ""ntlmssp-client-1"

    Jeremy.
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  2. Re: [Samba] Automatic Integrated Windows Auth (IWA) in firefox &nautilus

    On Fri, Jul 11, 2008 at 05:13:42PM -0700, Jeremy Allison wrote:
    >
    > We fixed this in SuSE when I was working for Novell by the
    > use of helpers in firefox that would invoke the ntlm_auth
    > code for old IIS servers that only use NTLM instead of
    > kerberos. Winbindd has to have a credential cache set up
    > from login in order to create the NTLMSSP blobs for firefox.
    > Note sure of the state of that code integrated into the
    > firefox shipped by Ubuntu - I know it's in the openSuSE
    > one.
    >
    > Nautilus could use the same code (although I believe that
    > uses krb5 tickets by preference).
    >
    > You might want to raise this one with launchpad. I can
    > help them integrate the same code that was done for
    > SuSE is they haven't already done it.
    >
    > The argument to ntlm_auth is ""ntlmssp-client-1"


    Ok, I just checked in the firefox3 source code and
    the code to do this is included.

    It's under :

    mozilla/extensions/auth/nsAuthSambaNTLM.cpp

    I've started looking into the firefox binary
    on Ubuntu 8.04 with strings, but can't find
    the embedded string "ntlm_auth", which would need
    to be there in order for this support to be
    compiled in.

    The place it should be is :

    /usr/linb/xulrunner/components/libauth.so

    which contains the nsAuthGSSAPI strings,
    but not nsAuthSambaNTLM strings. Looks like
    someone deliberately didn't compile that into
    the Ubuntu version.

    Why would anyone do that ? Dumb, dumb, dumb..

    Jeremy.
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


+ Reply to Thread