I have been trying to get SSO to work correctly with the following packages, and I appear I am missing something and I was wondering if anyone can help me or point me in the right direction? I am currently using the "auth_ntlm_winbind_module" for apache to try and authenticate and was hoping to get SSO to work. I have gone through all the steps on SEVERAL sites trying to figure out how to auth to the website if the user is in the domain. Steps Taken: · Added the server running Apache (2.2.15) to the domain · Can see the server name in AD · Can use "wbinfo -t" and get the following "checking the trust secret for domain DOMAINSERVER via RPC calls succeeded" · Can use "wbinfo -n username" and it returns me the SID_USER When I go to the website using the config below, I go to the website but I am being prompted for credentials. I enter my AD credentials (tried several accounts), it allows me to authenticate and I am shown the page. It appears it's checking to see if the user is authenticated to access the page, but curious on why I can't get SSO to work automatically. Any help or suggestions would be great! Thanks! LoadModule auth_ntlm_winbind_module /usr/lib64/httpd/modules/mod_auth_ntlm_winbind.so <Directory "/var/www/html/test"> Options ExecCGI AllowOverride None Order allow,deny Allow from all AuthName "NTLM Authentication" AuthType NTLM Require valid-user NTLMAuth on NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" NTLMBasicAuthoritative on NegotiateAuth on </Directory> Jonas Turner │ Security Analyst II Ph: 419.254.4890│Fax: 419.252.5557 E-mail: joturner at hcr-manorcare.com<mailto:joturner at hcr-manorcare.com>
On 30/06/16 18:30, Turner,Jonas wrote:> I have been trying to get SSO to work correctly with the following packages, and I appear I am missing something and I was wondering if anyone can help me or point me in the right direction? > > I am currently using the "auth_ntlm_winbind_module" for apache to try and authenticate and was hoping to get SSO to work. > > I have gone through all the steps on SEVERAL sites trying to figure out how to auth to the website if the user is in the domain. > Steps Taken: > > · Added the server running Apache (2.2.15) to the domain > > · Can see the server name in AD > > · Can use "wbinfo -t" and get the following "checking the trust secret for domain DOMAINSERVER via RPC calls succeeded" > > · Can use "wbinfo -n username" and it returns me the SID_USER > > When I go to the website using the config below, I go to the website but I am being prompted for credentials. I enter my AD credentials (tried several accounts), it allows me to authenticate and I am shown the page. It appears it's checking to see if the user is authenticated to access the page, but curious on why I can't get SSO to work automatically. > > Any help or suggestions would be great! > > Thanks! > > LoadModule auth_ntlm_winbind_module /usr/lib64/httpd/modules/mod_auth_ntlm_winbind.so > <Directory "/var/www/html/test"> > Options ExecCGI > AllowOverride None > Order allow,deny > Allow from all > AuthName "NTLM Authentication" > AuthType NTLM > Require valid-user > NTLMAuth on > NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" > NTLMBasicAuthoritative on > NegotiateAuth on > </Directory> > > Jonas Turner │ Security Analyst II > Ph: 419.254.4890│Fax: 419.252.5557 > E-mail: joturner at hcr-manorcare.com<mailto:joturner at hcr-manorcare.com> > > >Have you tried reading this wiki page: https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Directory Rowland
I have. The only issue is that we are using the Windows AD environment, so the "samba-tool" doesn't apply. I wasn't for sure if anyone was able to get it to work without Kerberos. -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland penny Sent: Thursday, June 30, 2016 1:45 PM To: samba at lists.samba.org Subject: Re: [Samba] samba/winbind/apache/sso question On 30/06/16 18:30, Turner,Jonas wrote:> I have been trying to get SSO to work correctly with the following packages, and I appear I am missing something and I was wondering if anyone can help me or point me in the right direction? > > I am currently using the "auth_ntlm_winbind_module" for apache to try and authenticate and was hoping to get SSO to work. > > I have gone through all the steps on SEVERAL sites trying to figure out how to auth to the website if the user is in the domain. > Steps Taken: > > · Added the server running Apache (2.2.15) to the domain > > · Can see the server name in AD > > · Can use "wbinfo -t" and get the following "checking the trust secret for domain DOMAINSERVER via RPC calls succeeded" > > · Can use "wbinfo -n username" and it returns me the SID_USER > > When I go to the website using the config below, I go to the website but I am being prompted for credentials. I enter my AD credentials (tried several accounts), it allows me to authenticate and I am shown the page. It appears it's checking to see if the user is authenticated to access the page, but curious on why I can't get SSO to work automatically. > > Any help or suggestions would be great! > > Thanks! > > LoadModule auth_ntlm_winbind_module /usr/lib64/httpd/modules/mod_auth_ntlm_winbind.so > <Directory "/var/www/html/test"> > Options ExecCGI > AllowOverride None > Order allow,deny > Allow from all > AuthName "NTLM Authentication" > AuthType NTLM > Require valid-user > NTLMAuth on > NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" > NTLMBasicAuthoritative on > NegotiateAuth on > </Directory> > > Jonas Turner │ Security Analyst II > Ph: 419.254.4890│Fax: 419.252.5557 > E-mail: joturner at hcr-manorcare.com<mailto:joturner at hcr-manorcare.com> > > >Have you tried reading this wiki page: https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Directory Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Apparently Analagous Threads
- samba/winbind/apache/sso question
- auth_ntlm_winbind_module causes 401 without any errors.
- winbindd/mod_auth_ntlm_winbind.so fail to use workstation credentials (NTLM+SPNEGO)
- problem setting ntlm authentication for apache using mod_auth_winbind
- problems using auth_ntlm_winbind_module