samba - Aug 2006 - mod_ntlm_winbind / Apache2

Hi,

I'm trying to set up Apache2 with mod_ntlm_winbind so our Windows users
can log onto our Intranet automatically without having to type in their
username / password.

I've gotten part of the way there, but things aren't behaving the way
I'd like/expect. So far, I've been able to log on using Firefox but only
with the password dialog popping up, and then only if I enter my
username as DOMAIN\username.

For a successful authentication with Firefox (using DOMAIN\username) I
can see in the apache log file:

[2006/08/29 20:19:04, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x00088207
[2006/08/29 20:19:04, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(662)
  Got user=[kmshanah] domain=[WUM3] workstation=[it-00] len1=24 len2=24
[2006/08/29 20:19:04, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
  NTLMSSP Sign/Seal - Initialising with flags:
[2006/08/29 20:19:04, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x00088235
[2006/08/29 20:19:05, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x00088207
[2006/08/29 20:19:05, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(662)
  Got user=[kmshanah] domain=[WUM3] workstation=[it-00] len1=24 len2=24
[2006/08/29 20:19:05, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
  NTLMSSP Sign/Seal - Initialising with flags:
[2006/08/29 20:19:05, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x00088235

If I don't include the domain:

[2006/08/29 20:22:27, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x00088207
[2006/08/29 20:22:27, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(662)
  Got user=[kmshanah] domain=[] workstation=[it-00] len1=24 len2=24
[2006/08/29 20:22:27, 3] utils/ntlm_auth.c:winbind_pw_check(429)
  Login for user []\[kmshanah]@[it-00] failed due to [No such user]

And, with Internet Explorer nothing at all ends up in the Apache
error.log file. All I see is the access denied line in access.log:

192.168.0.53 - - [29/Aug/2006:20:15:57 +0930] "GET /auth-test
HTTP/1.1" 401 547 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1)"

Here's the config I'm using in Apache:

<Directory /var/www/auth-test>
    NTLMAuth on
    NTLMBasicAuthoritative on
    NTLMAuthHelper "/usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp"
    AuthType NTLM
    AuthName "NTLM Authentication Test"
    require valid-user
</Directory>

I tried adding --domain=WUM3 to the NTLMAuthHelper line, but that didn't
seem to make any difference. Any help or ideas would be appreciated!

Thanks,
Kevin.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/29/2006 08:03 AM, Kevin Shanahan escreveu:
> Hi,
> 
> I'm trying to set up Apache2 with mod_ntlm_winbind so our Windows users
> can log onto our Intranet automatically without having to type in their
> username / password.
	Just a suggestion, kerberos could be a good way to achieve
Single Sign On. Do you need mod_ntlm_winbind? I have good references
of mod_ntlm.

http://twiki.org/cgi-bin/view/Codev/TransparentAuthentication#Using_NTLM


	And there is a nice document about NTLM Authentication that
just happen to be updated these days.

http://davenport.sourceforge.net/ntlm.html


[...]

	Anyway, I hope this helps.

- --
Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFE9DA4Cj65ZxU4gPQRAlbTAJ9zuthZMDY1fgddgc5RjtBUdD8TPACcCF/d
4nC04CuxD0VeDo2IrQmC4TA=tN3e
-----END PGP SIGNATURE-----

On Tue, 2006-08-29 at 10:56 -0300, Felipe Augusto van de Wiel
wrote:
> On 08/29/2006 10:47 AM, Kevin Shanahan escreveu:
> [...]
> > Internet Explorer still fails, but I see something in the logs now
> > (upped the LogLevel to debug, was at info before):
> > 
> > [Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(529): [client
192.168.0.53] Launched ntlm_helper, pid 1849
> > [Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(699): [client
192.168.0.53] creating auth user
> > [Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(750): [client
192.168.0.53] parsing reply from helper to YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==\n
> > [2006/08/29 23:02:37, 1]
utils/ntlm_auth.c:manage_gss_spnego_request(859)
> > [Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(788): [client
192.168.0.53] got response: BH
> > [Tue Aug 29 23:02:37 2006] [error] [client 192.168.0.53] (2)No such
file or directory: failed to parse response from helper
> > 
> > Where is the "No such file" error coming from?
> 
> 	The helper is really working? Did you hand-tested it?
Can you describe how to do that?

Looking at http://devel.squid-cache.org/ntlm/squid_helper_protocol.html,
it seems that the helper should be returning TT <somthing>, but is
returning BH instead. How can I get more information from the helper
about what the problem is?

Regards,
Kevin.

On Tue, 2006-08-29 at 20:33 +0930, Kevin Shanahan wrote:
> I'm trying to set up Apache2 with mod_ntlm_winbind so our Windows users
> can log onto our Intranet automatically without having to type in their
> username / password.
> 
> I've gotten part of the way there, but things aren't behaving the
way
> I'd like/expect. So far, I've been able to log on using Firefox but
only
> with the password dialog popping up, and then only if I enter my
> username as DOMAIN\username.
Okay, I found out the issue with Firefox was just a client configuration
issue. Firefox needs to have the intranet uri added to the
network.automatic-ntlm-auth.trusted-uris setting in about:config.

The issue with IE6 turned out to be Debian's mod_ssl config file
disabling keepalive for all user agents matching '.*MSIE.*'. Once that
was removed, it works fine.
> <Directory /var/www/auth-test>
>     NTLMAuth on
>     NTLMBasicAuthoritative on
>     NTLMAuthHelper "/usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp"
>     AuthType NTLM
>     AuthName "NTLM Authentication Test"
>     require valid-user
> </Directory>
This config is now working, but there are still problems if I add
spnego. IE6 seems to respond to the "WWW-Authenticate: Negotiate"
reply
from apache with an NTLMSSP challenge. Haven't figured that one out yet.

Regards,
Kevin.