Dave
2006-Oct-10 10:39 UTC
[Samba] Combining mod_auth_winbind with other authorization modules
I'm trying to use the mod_auth_winbind module from lorikeet SVN to control access to an Apache 2.2.3 server. Samba is 3.0.23b supplied with Mandriva 2007 and is configured is a member of a w2k3 AD domain. The Apache users are using IE on W2k or XP domain member clients. Samba and winbind are working as expected, and if I just use the mod_auth_winbind module to authenticate the users Apache seems to be OK. However I also need to use an authorization module to control access to user groups via the '.htaccess' files. I've tried both mod_authz_groupfile and mod_authz_dbm; in each case authentication occasionally falls apart as the following (redacted) Apache error log segment shows: mod_ntlm_winbind.c(1065): doing ntlm auth dance, referer: http://myserver/homepage/left.html mod_ntlm_winbind.c(529): Launched ntlm_helper, pid 28125, referer: http://myserver/homepage/left.html mod_ntlm_winbind.c(699): creating auth user, referer: http://myserver/homepage/left.html mod_ntlm_winbind.c(750): parsing reply from helper to YR Tl...ND\n, referer: http://myserver/homepage/left.html mod_ntlm_winbind.c(788): got response: TT Tl...AA, referer: http://myserver/homepage/left.html mod_ntlm_winbind.c(455): sending back Tl...AA, referer: http://myserver/homepage/left.html mod_ntlm_winbind.c(472): Decrement the connection request count to keep it alive, referer: http://myserver/homepage/left.html mod_ntlm_winbind.c(1065): doing ntlm auth dance, referer: http://myserver/homepage/left.html mod_ntlm_winbind.c(531): Using existing auth helper 28125, referer: http://myserver/homepage/left.html mod_ntlm_winbind.c(750): parsing reply from helper to KK Tl...ND\n, referer: http://myserver/homepage/left.html libsmb/ntlmssp.c:ntlmssp_update(252) got NTLMSSP command 1, expected 3 mod_ntlm_winbind.c(788): got response: NA NT_STATUS_INVALID_PARAMETER, referer: http://myserver/homepage/left.html mod_ntlm_winbind.c(812): user not authenticated: NT_STATUS_INVALID_PARAMETER, referer: http://myserver/homepage/left.html mod_ntlm_winbind.c(1019): reauth, referer: http://myserver/homepage/left.html mod_ntlm_winbind.c(1065): doing ntlm auth dance, referer: http://myserver/homepage/left.html mod_ntlm_winbind.c(529): Launched ntlm_helper, pid 28126, referer: http://myserver/homepage/left.html mod_ntlm_winbind.c(699): creating auth user, referer: http://myserver/homepage/left.html mod_ntlm_winbind.c(750): parsing reply from helper to YR Tl...9=\n, referer: http://myserver/homepage/left.html libsmb/ntlmssp.c:ntlmssp_update(252) got NTLMSSP command 3, expected 1 mod_ntlm_winbind.c(788): got response: NA NT_STATUS_INVALID_PARAMETER, referer: http://myserver/homepage/left.html mod_ntlm_winbind.c(812): user not authenticated: NT_STATUS_INVALID_PARAMETER, referer: http://myserver/homepage/left.html mod_ntlm_winbind.c(1065): doing ntlm auth dance, referer: http://myserver/homepage/left.html mod_ntlm_winbind.c(531): Using existing auth helper 28126, referer: http://myserver/homepage/left.html mod_ntlm_winbind.c(750): parsing reply from helper to KK Tl...9=\n, referer: http://myserver/homepage/left.html libsmb/ntlmssp.c:ntlmssp_update(252) got NTLMSSP command 3, expected 1 mod_ntlm_winbind.c(788): got response: NA NT_STATUS_INVALID_PARAMETER, referer: http://myserver/homepage/left.html mod_ntlm_winbind.c(812): user not authenticated: NT_STATUS_INVALID_PARAMETER, referer: http://myserver/homepage/left.html [notice] child pid 28108 exit signal Segmentation fault (11) It seems that the browser opens two sessions with the server and the auth mechanism gets mixed up between the two. The browser displays a mixture of HTTP headers and the usual Apache 401 message. Does mod_auth_winbind have any known problems combining in this way? -- Dave The information contained in this message (and any attachments) may be confidential and is intended for the sole use of the named addressee. Access, copying, alteration or re-use of the e-mail by anyone other than the intended recipient is unauthorised. If you are not the intended recipient please advise the sender immediately by returning the e-mail and deleting it from your system. This information may be exempt from disclosure under Freedom Of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to the Information Officer. The original of this email was scanned for viruses by Government Secure Intranet (GSi) virus scanning service supplied exclusively by Cable & Wireless in partnership with MessageLabs. On leaving the GSI this email was certified virus free. The MessageLabs Anti Virus Service is the first managed service to achieve the CSIA Claims Tested Mark (CCTM Certificate Number 2006/04/0007), the UK Government quality mark initiative for information security products and services. For more information about this please visit www.cctmark.gov.uk