samba - Dec 2005 - NTLM and Samba domain - problem with (non-local) logons.

Hello!

I have a quite strange issue with the Samba based NT domain that I administer.
I've triet to search for the solution but none of the information that I had
found seemed to work.

The trouble is that I can't manage to setup a ntlm based authentication. It
applies to both linux and w32 architectures. In the latter case I achieve
some level of usability - I can login locally. If I try to access the page
from a remote computer I receive the usual "Basic" authentication
popup.

Samba is configured to keep all the information in a LDAP backend. Apart
from the NTLM everything else works rather ok.

Things that do function:

1. Local testing.

[root@?~]# read -s PASSWORD
[root@?~]# ntlm_auth --username=manthios --password=$PASSWORD
NT_STATUS_OK: Success (0x0)

2. w32-apache + mod_auth_sspi - LOCAL

As I mentioned before I'm able to authenticate to a ntlm-protected resource
if
and only if I login from the same machine the site is running on. If I try to
access the ntlm-protected page from a different computer I get the Basic auth
prompt.

Things that do not work:

1. NTLM on Apache in the Linux environment

No matter whether I try to use mod_ntlm (both original and patched) or
Apache2::AuthenNTLM I can't force it to work properly with the MSIE on
domain
accounts.

2. Remote authentication with mod_auth_sspi

If I try to login remotely to a ntlm-protected area I get the basic
authentication window.

Does anyone know what could be the reason of such a misbehaviour?

Thanks in advance for any sort of help - even RTFM will do :)

Best regards,
Pawel Sawicki

On Wed, 2005-12-07 at 13:00 +0100, Pawel Sawicki wrote:
> Hello!
> 
> I have a quite strange issue with the Samba based NT domain that I
administer.
> I've triet to search for the solution but none of the information that
I had
> found seemed to work.
> 
> The trouble is that I can't manage to setup a ntlm based
authentication. It
> applies to both linux and w32 architectures. In the latter case I achieve
> some level of usability - I can login locally. If I try to access the page
> from a remote computer I receive the usual "Basic" authentication
popup.
> 
> Samba is configured to keep all the information in a LDAP backend. Apart
> from the NTLM everything else works rather ok.
> 
> Things that do function:
> 
> 1. Local testing.
> 
> [root@?~]# read -s PASSWORD
> [root@?~]# ntlm_auth --username=manthios --password=$PASSWORD
> NT_STATUS_OK: Success (0x0)
> 
> 2. w32-apache + mod_auth_sspi - LOCAL
> 
> As I mentioned before I'm able to authenticate to a ntlm-protected
resource if
> and only if I login from the same machine the site is running on. If I try
to
> access the ntlm-protected page from a different computer I get the Basic
auth
> prompt.
> 
> Things that do not work:
> 
> 1. NTLM on Apache in the Linux environment
> 
> No matter whether I try to use mod_ntlm (both original and patched) or
> Apache2::AuthenNTLM I can't force it to work properly with the MSIE on
domain
> accounts.
Have you tried mod_ntlm_winbind on apache 1.3 (the apache2 port team
seems to have died off).
> 2. Remote authentication with mod_auth_sspi
> 
> If I try to login remotely to a ntlm-protected area I get the basic
> authentication window.
I'm presuming this is on the windows server?
> Does anyone know what could be the reason of such a misbehaviour?
We will need much more information than this.  Is the windows server
joined to the domain correctly?

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20051209/baca9c5f/attachment.bin

On Fri, Dec 09, 2005 at 04:24:38AM -0800, Andrew Bartlett wrote:
> Have you tried mod_ntlm_winbind on apache 1.3 (the apache2 port team
> seems to have died off).
No. I must use Apache2 due to integration with the Subversion - mod_svn does
not work on Apache 1.3 AFAIK.
> We will need much more information than this.  Is the windows server
> joined to the domain correctly?
I can log in to this very computer using the domain account, so I
suppose it should be rather ok. What else would you need?

Best regards,
Pawel Sawicki