Attempting to use mod_ntlm_winbind to provide passthrough
authentication to an apache vhost, I'm running into a problem that I
hope is merely me misunderstanding the proper setup...
The details:
serverside:
freebsd 4.10-p3
mod_ntlm_winbind.c rev 117 from svn
samba 3.0.11 from freebsd ports
apache 1.3.33+mod_ssl from freebsd ports
Windows 2000 Server SP4
clientside:
Windows XP SP2
IE 6.0.2900.2180.xpsp_sp2_rtm.040803-2158
The apache virtual host definition:
<VirtualHost 10.1.1.249:80>
ServerName rt-test.elided.com
DocumentRoot /usr/local/rt3/share/html
AddDefaultCharset UTF-8
PerlModule Apache::DBI
PerlRequire /usr/local/rt3/bin/webmux.pl
<Location />
SetHandler perl-script
PerlHandler RT::Mason
AuthName "NTLM Authentication test"
NTLMAuth on
NTLMAuthHelper "/usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
</Location>
</VirtualHost>
With this in place, a logged-in user attempting to connect to that
vhost via IE is immediately prompted for a password, with the username
portion of the dialog box filled in as "rt-test.elided.com\username".
This itself is confusing, since presumably IE is supposed to attempt
the initial auth on its own without any user interaction. At this
point, the apache error log is empty of debug output from
mod_ntlm_winbind.
If the user provides their password, the login fails, and the
following is recorded to the apache error log:
[Wed Mar 23 10:00:44 2005] [debug] mod_ntlm_winbind.c(522): [client
10.1.1.71] user not authenticated: NT_STATUS_NO_SUCH_USER
...which is a bit odd, since I can use ntlm_auth on the command line
to verify my own credentials with no problem.
Is it possible to get more verbose debugging output from
mod_ntlm_winbind? Lacking that, would anyone who has managed to
actually get this working feel like letting me pick their brains?
-n
------------------------------------------------------<memory@blank.org>
It's the little touches that make a future solid enough to be destroyed.
(--William S. Burroughs)
<http://blank.org/memory/>----------------------------------------------
On Wed, 2005-03-23 at 10:40 -0500, Nathan J. Mehl wrote:> Attempting to use mod_ntlm_winbind to provide passthrough > authentication to an apache vhost, I'm running into a problem that I > hope is merely me misunderstanding the proper setup... > > The details: > > serverside: > freebsd 4.10-p3 > mod_ntlm_winbind.c rev 117 from svn > samba 3.0.11 from freebsd ports > apache 1.3.33+mod_ssl from freebsd ports > Windows 2000 Server SP4 > > clientside: > Windows XP SP2 > IE 6.0.2900.2180.xpsp_sp2_rtm.040803-2158 > > The apache virtual host definition: > > <VirtualHost 10.1.1.249:80> > ServerName rt-test.elided.com > DocumentRoot /usr/local/rt3/share/html > AddDefaultCharset UTF-8 > PerlModule Apache::DBI > PerlRequire /usr/local/rt3/bin/webmux.pl > <Location /> > SetHandler perl-script > PerlHandler RT::Mason > AuthName "NTLM Authentication test" > NTLMAuth on > NTLMAuthHelper "/usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" > NTLMBasicAuthoritative on > AuthType NTLM > require valid-user > </Location> > </VirtualHost> > > With this in place, a logged-in user attempting to connect to that > vhost via IE is immediately prompted for a password, with the username > portion of the dialog box filled in as "rt-test.elided.com\username". > This itself is confusing, since presumably IE is supposed to attempt > the initial auth on its own without any user interaction.This happens because the hostname has a '.' in it, and so it is no longer in the trusted zone. Therefore, no credentials are supplied automatically. Then, because the hostname is not a valid domain name on the target domain controller, the authentication fails. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20050324/0df77033/attachment.bin