samba - Jul 2008 - Automatic Integrated Windows Auth (IWA) in firefox & nautilus

Hi, all

My problem is concerning Automatic Integrated Windows Auth (IWA).

I've successfully on my ubuntu
a) joined a Windows domains (by net join -S), =20
b) list domain users (by wbinfo -u),
c) logined gnome with a domain user (domain\username).

What drives me to do all this is to expect
1) my firefox automatically answers ntlm (a.k.a. iwa, integrated windows auth)
when=20
I visit an Outlook Web Access site. (network.automatic-ntlm-auth.trusted-uris is
set to proper value, which works in Windows)
2) nautilus automatically login when I visit a share folder inside the domain=20
(by addresss starting smb://machine/folder.///)

But neither works.

Firefox prompt for username & password when I visit an Exchange site using
IWA.
nautilus still prompt for password although he auto correctly fills the name
& domain field.

Is this a configuration problem of samba?
or that the implementation of firefox & nautilus take charge and they
haven't implemented?

Many Thanks

Dikan Xing

On Fri, Jul 11, 2008 at 10:57:39AM +0800, Dikan Xing
wrote:
> Hi, all
> 
> My problem is concerning Automatic Integrated Windows Auth (IWA).
> 
> I've successfully on my ubuntu
> a) joined a Windows domains (by net join -S),  
> b) list domain users (by wbinfo -u),
> c) logined gnome with a domain user (domain\username).
> 
> What drives me to do all this is to expect
> 1) my firefox automatically answers ntlm (a.k.a. iwa, integrated windows
auth) when
> I visit an Outlook Web Access site.
(network.automatic-ntlm-auth.trusted-uris is set to proper value, which works in
Windows)
> 2) nautilus automatically login when I visit a share folder inside the
domain
> (by addresss starting smb://machine/folder.///)
> 
> But neither works.
> 
> Firefox prompt for username & password when I visit an Exchange site
using IWA.
> nautilus still prompt for password although he auto correctly fills the
name & domain field.
> 
> Is this a configuration problem of samba?
> or that the implementation of firefox & nautilus take charge and they
haven't implemented?
We fixed this in SuSE when I was working for Novell by the
use of helpers in firefox that would invoke the ntlm_auth
code for old IIS servers that only use NTLM instead of
kerberos. Winbindd has to have a credential cache set up
from login in order to create the NTLMSSP blobs for firefox.
Note sure of the state of that code integrated into the
firefox shipped by Ubuntu - I know it's in the openSuSE
one.

Nautilus could use the same code (although I believe that
uses krb5 tickets by preference).

You might want to raise this one with launchpad. I can
help them integrate the same code that was done for
SuSE is they haven't already done it.

The argument to ntlm_auth is ""ntlmssp-client-1"

Jeremy.

On Fri, Jul 11, 2008 at 10:57:39AM +0800, Dikan Xing
wrote:
> 
> Firefox prompt for username & password when I visit an Exchange site
using IWA.
> nautilus still prompt for password although he auto correctly fills the
name & domain field.
Ok, what I need you to do is to start firefox, then
start a terminal. In the terminal, type :

strace -p <pid>

where <pid> is the process id of the firefox
process,

Then visit the Exchange site needing IWA
auth. You should see firefox attempting to
exec the "ntlm_auth" binary in the log
produced. Can you post that please ?

Jeremy.