Serguei
2007-Apr-18 13:53 UTC
[Samba] winbindd/mod_auth_ntlm_winbind.so fail to use workstation credentials (NTLM+SPNEGO)
Hallo,
We protect linux/apache server with mod_auth_ntlm_winbind.so to
authenticate users with their domain accounts. The server is joined into
windows domain (Windows 2003 Server). Apache/mod_auth_ntlm_winbind.so is
configured for NTLM+SPNEGO authentication. So far users can login when
providing valid credentials.
Users login into their windows workstation (Windows XP SP2 IE/Firefox)
with local accounts (not domain accounts) and access applications from
Internet, because they normally work outside the office. Local account
name/password matches domain account name/password. Thus we supposed to
provide a Single Signon between workstation and web applications.
Browsers when properly configured (IE -> [x] Integrated Windows
Authentication+site in the Intranet Zone, Firefox ->
network.automatic-ntlm-auth.trusted-uris,
network.negotiate-auth.trusted-uris settings) can forward users local
account credentials to the web server. This seamless authentication
works fine with IIS but fails with winbindd/mod_auth_ntlm_winbind.so
with error 500 (both IE and Firefox)
Apache log:
[Wed Apr 18 15:20:02 2007] [info] Initial (No.1) HTTPS request received
for child 3 (server intradev.haching.lan:443)
[Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(482): [client
192.168.31.39] Launched ntlm_helper, pid 3745
[Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(652): [client
192.168.31.39] creating auth user
[Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
192.168.31.39] parsing reply from helper to YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==\n
[2007/04/18 15:20:02, 1] utils/ntlm_auth.c:manage_gss_spnego_request(1110)
[Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(741): [client
192.168.31.39] got response: BH
[Wed Apr 18 15:20:02 2007] [error] [client 192.168.31.39] (2)No such
file or directory: failed to parse response from helper
[Wed Apr 18 15:20:02 2007] [info] Connection to child 3 closed with
unclean shutdown(server intradev.haching.lan:443, client 192.168.31.39)
Winbindd log.
[2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
child daemon request 19
[2007/04/18 15:20:01, 3]
nsswitch/winbindd_misc.c:winbindd_dual_list_trusted_domains(121)
[ 3698]: list trusted domains
[2007/04/18 15:20:01, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
[ 0]: request interface version
[2007/04/18 15:20:01, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
[ 0]: request location of privileged pipe
[2007/04/18 15:20:01, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1134)
[ 0]: getgroups root
[2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
child daemon request 21
[2007/04/18 15:20:01, 3]
nsswitch/winbindd_async.c:winbindd_dual_lookupname(721)
[ 3698]: lookupname HACHING\root
[2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
child daemon request 42
[2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
child daemon request 54
[2007/04/18 15:20:01, 3]
nsswitch/winbindd_async.c:winbindd_dual_getsidaliases(950)
[ 3698]: getsidaliases
...
"getgroups root" is already strange here. And there is no HACHING\root
user. where does it come from? Of course winbind cannot lookup this
name. Once again, authentication fail only when URL set as the browser's
trusted site. When I take the site out of browser's trusted site list
and login explicitly with the same account, everything is fine:
Apache
[Wed Apr 18 15:40:15 2007] [info] Initial (No.1) HTTPS request received
for child 0 (server intradev.haching.lan:443)
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(1018):
[client 192.168.31.39] doing ntlm auth dance
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(482): [client
192.168.31.39] Launched ntlm_helper, pid 3823
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(652): [client
192.168.31.39] creating auth user
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
192.168.31.39] parsing reply from helper to YR
TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=\n
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(741): [client
192.168.31.39] got response: TT
TlRMTVNTUAACAAAADgAOADAAAAAFgokAugsuTuGQirUAAAAAAAAAAHAAcAA+AAAASABBAEMASABJAE4ARwACAA4ASABBAEMASABJAE4ARwABABAASQBOAFQAUgBBAEQARQBWAAQAFgBoAGEAYwBoAGkAbgBnAC4AbABhAG4AAwAoAGkAbgB0AHIAYQBkAGUAdgAuAGgAYQBjAGgAaQBuAGcALgBsAGEAbgAAAAAA
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(411): [client
192.168.31.39] sending back
TlRMTVNTUAACAAAADgAOADAAAAAFgokAugsuTuGQirUAAAAAAAAAAHAAcAA+AAAASABBAEMASABJAE4ARwACAA4ASABBAEMASABJAE4ARwABABAASQBOAFQAUgBBAEQARQBWAAQAFgBoAGEAYwBoAGkAbgBnAC4AbABhAG4AAwAoAGkAbgB0AHIAYQBkAGUAdgAuAGgAYQBjAGgAaQBuAGcALgBsAGEAbgAAAAAA
[Wed Apr 18 15:40:15 2007] [info] Subsequent (No.2) HTTPS request
received for child 0 (server intradev.haching.lan:443)
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(1018):
[client 192.168.31.39] doing ntlm auth dance
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(484): [client
192.168.31.39] Using existing auth helper 3823
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
192.168.31.39] parsing reply from helper to KK
TlRMTVNTUAADAAAAGAAYAFYAAAAYABgAbgAAAAAAAABAAAAADAAMAEAAAAAKAAoATAAAAAAAAAAAAAAABYIIAHMAdAByAGkAZwBvAE0ASQBOAFMASwD+aA0tazQbRgAAAAAAAAAAAAAAAAAAAAD0zO38BWoCtpXTgGPJMKm63kcbe4fTWd4=\n
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(741): [client
192.168.31.39] got response: AF testuser
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(787): [client
192.168.31.39] authenticated testuser
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(961): [client
192.168.31.39] retaining user testuser
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(962): [client
192.168.31.39] keepalives: 1
Winbind:
[2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint8(615)
0132 id_auth[4] : 00
[2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint8(615)
0133 id_auth[5] : 05
[2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint32s(991)
0134 sub_auths : 00000015 e39fded7 4e0574bc 369b5347
[2007/04/18 15:40:15, 5]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1800)
Setting unix username to [testuser]
[2007/04/18 15:40:15, 5]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1848)
NTLM CRAP authentication for user [HACHING]\[testuser] returned
NT_STATUS_OK (PAM: 0)
Below is some configuration info
Web Server: Suse 10, Apache 2.0.58, winbindd 3.0.24
smb.conf
[global]
usershare allow guests = No
workgroup = HACHING
realm = HACHING.LAN
idmap uid = 10000-20000
idmap gid = 10000-20000
security = domain
#password server = sun.haching.lan
winbind use default domain = yes
mod_auth_ntlm_winbind.so configuration
AuthName "NTLM Authentication thingy"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp"
NegotiateAuth on
NegotiateAuthHelper "/usr/bin/ntlm_auth
--helper-protocol=gss-spnego"
NTLMBasicAuthoritative on
AuthType Negotiate
AuthType NTLM
require valid-user
Tests like net rpc testjoin, wbinfo -u, wbinfo -g, ntlm_auth
--username=testuser
are ok.
Any ideas are welcome,
regards,
Serguei
Stefan Gohmann
2007-Apr-19 06:03 UTC
[Samba] winbindd/mod_auth_ntlm_winbind.so fail to use workstation credentials (NTLM+SPNEGO)
Hello, there was a patch on samba-technical "[PATCH] mod_auth_ntlm_winbind - new feature to omit domain name from username". Maybe this patch helps for your problem? Cheers Stefan Am Mittwoch, 18. April 2007 15:52 schrieb Serguei:> Hallo, > > We protect linux/apache server with mod_auth_ntlm_winbind.so to > authenticate users with their domain accounts. The server is joined into > windows domain (Windows 2003 Server). Apache/mod_auth_ntlm_winbind.so is > configured for NTLM+SPNEGO authentication. So far users can login when > providing valid credentials. > > Users login into their windows workstation (Windows XP SP2 IE/Firefox) > with local accounts (not domain accounts) and access applications from > Internet, because they normally work outside the office. Local account > name/password matches domain account name/password. Thus we supposed to > provide a Single Signon between workstation and web applications. > Browsers when properly configured (IE -> [x] Integrated Windows > Authentication+site in the Intranet Zone, Firefox -> > network.automatic-ntlm-auth.trusted-uris, > network.negotiate-auth.trusted-uris settings) can forward users local > account credentials to the web server. This seamless authentication > works fine with IIS but fails with winbindd/mod_auth_ntlm_winbind.so > with error 500 (both IE and Firefox) > > Apache log: > [Wed Apr 18 15:20:02 2007] [info] Initial (No.1) HTTPS request received > for child 3 (server intradev.haching.lan:443) > [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(482): [client > 192.168.31.39] Launched ntlm_helper, pid 3745 > [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(652): [client > 192.168.31.39] creating auth user > [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(703): [client > 192.168.31.39] parsing reply from helper to YR > TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==\n > [2007/04/18 15:20:02, 1] utils/ntlm_auth.c:manage_gss_spnego_request(1110) > [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(741): [client > 192.168.31.39] got response: BH > [Wed Apr 18 15:20:02 2007] [error] [client 192.168.31.39] (2)No such > file or directory: failed to parse response from helper > [Wed Apr 18 15:20:02 2007] [info] Connection to child 3 closed with > unclean shutdown(server intradev.haching.lan:443, client 192.168.31.39) > > Winbindd log. > [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943) > child daemon request 19 > [2007/04/18 15:20:01, 3] > nsswitch/winbindd_misc.c:winbindd_dual_list_trusted_domains(121) > [ 3698]: list trusted domains > [2007/04/18 15:20:01, 3] > nsswitch/winbindd_misc.c:winbindd_interface_version(491) > [ 0]: request interface version > [2007/04/18 15:20:01, 3] > nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524) > [ 0]: request location of privileged pipe > [2007/04/18 15:20:01, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1134) > [ 0]: getgroups root > [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943) > child daemon request 21 > [2007/04/18 15:20:01, 3] > nsswitch/winbindd_async.c:winbindd_dual_lookupname(721) > [ 3698]: lookupname HACHING\root > [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943) > child daemon request 42 > [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943) > child daemon request 54 > [2007/04/18 15:20:01, 3] > nsswitch/winbindd_async.c:winbindd_dual_getsidaliases(950) > [ 3698]: getsidaliases > ... > > "getgroups root" is already strange here. And there is no HACHING\root > user. where does it come from? Of course winbind cannot lookup this > name. Once again, authentication fail only when URL set as the browser's > trusted site. When I take the site out of browser's trusted site list > and login explicitly with the same account, everything is fine: > > Apache > [Wed Apr 18 15:40:15 2007] [info] Initial (No.1) HTTPS request received > for child 0 (server intradev.haching.lan:443) > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(1018): > [client 192.168.31.39] doing ntlm auth dance > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(482): [client > 192.168.31.39] Launched ntlm_helper, pid 3823 > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(652): [client > 192.168.31.39] creating auth user > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(703): [client > 192.168.31.39] parsing reply from helper to YR > TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=\n > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(741): [client > 192.168.31.39] got response: TT > TlRMTVNTUAACAAAADgAOADAAAAAFgokAugsuTuGQirUAAAAAAAAAAHAAcAA+AAAASABBAEMASAB >JAE4ARwACAA4ASABBAEMASABJAE4ARwABABAASQBOAFQAUgBBAEQARQBWAAQAFgBoAGEAYwBoAGk >AbgBnAC4AbABhAG4AAwAoAGkAbgB0AHIAYQBkAGUAdgAuAGgAYQBjAGgAaQBuAGcALgBsAGEAbgA >AAAAA [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(411): > [client 192.168.31.39] sending back > TlRMTVNTUAACAAAADgAOADAAAAAFgokAugsuTuGQirUAAAAAAAAAAHAAcAA+AAAASABBAEMASAB >JAE4ARwACAA4ASABBAEMASABJAE4ARwABABAASQBOAFQAUgBBAEQARQBWAAQAFgBoAGEAYwBoAGk >AbgBnAC4AbABhAG4AAwAoAGkAbgB0AHIAYQBkAGUAdgAuAGgAYQBjAGgAaQBuAGcALgBsAGEAbgA >AAAAA [Wed Apr 18 15:40:15 2007] [info] Subsequent (No.2) HTTPS request > received for child 0 (server intradev.haching.lan:443) > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(1018): > [client 192.168.31.39] doing ntlm auth dance > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(484): [client > 192.168.31.39] Using existing auth helper 3823 > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(703): [client > 192.168.31.39] parsing reply from helper to KK > TlRMTVNTUAADAAAAGAAYAFYAAAAYABgAbgAAAAAAAABAAAAADAAMAEAAAAAKAAoATAAAAAAAAAA >AAAAABYIIAHMAdAByAGkAZwBvAE0ASQBOAFMASwD+aA0tazQbRgAAAAAAAAAAAAAAAAAAAAD0zO3 >8BWoCtpXTgGPJMKm63kcbe4fTWd4=\n [Wed Apr 18 15:40:15 2007] [debug] > mod_auth_ntlm_winbind.c(741): [client 192.168.31.39] got response: AF > testuser > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(787): [client > 192.168.31.39] authenticated testuser > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(961): [client > 192.168.31.39] retaining user testuser > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(962): [client > 192.168.31.39] keepalives: 1 > > Winbind: > [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint8(615) > 0132 id_auth[4] : 00 > [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint8(615) > 0133 id_auth[5] : 05 > [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint32s(991) > 0134 sub_auths : 00000015 e39fded7 4e0574bc 369b5347 > [2007/04/18 15:40:15, 5] > nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1800) > Setting unix username to [testuser] > [2007/04/18 15:40:15, 5] > nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1848) > NTLM CRAP authentication for user [HACHING]\[testuser] returned > NT_STATUS_OK (PAM: 0) > > Below is some configuration info > > Web Server: Suse 10, Apache 2.0.58, winbindd 3.0.24 > > smb.conf > [global] > usershare allow guests = No > workgroup = HACHING > realm = HACHING.LAN > idmap uid = 10000-20000 > idmap gid = 10000-20000 > security = domain > #password server = sun.haching.lan > winbind use default domain = yes > > mod_auth_ntlm_winbind.so configuration > AuthName "NTLM Authentication thingy" > NTLMAuth on > NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" > NegotiateAuth on > NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego" > NTLMBasicAuthoritative on > AuthType Negotiate > AuthType NTLM > require valid-user > > Tests like net rpc testjoin, wbinfo -u, wbinfo -g, ntlm_auth > --username=testuser > are ok. > > Any ideas are welcome, > > regards, > Serguei-- Stefan Gohmann Entwicklung gohmann@univention.de Univention GmbH Linux for your Business fon: +49 421 22 232- 0 Mary-Somerville-Str.1 28359 Bremen fax: +49 421 22 232-99 http://www.univention.de