samba - May 2007 - I can't get mod_auth_ntlm_winbind to work

Scenario:

Centos 5 x86_64 machine with samba-3.0.23c-2.el5.2.0.2

The machine is a PDC, Windows 2000 users logon, get
profiles, etc.

I'm trying to set up a folder in apache that uses
NTLM authentication using mod_auth_ntlm_winbind.

I've followed:

http://adldap.sourceforge.net/mod_auth_ntlm_winbind.php

winbindd is running, and ntlm_auth seems to work:

# ntlm_auth --username=pdc2
password:
[2007/05/21 14:33:07, 10] intl/lang_tdb.c:lang_tdb_init(138)
   lang_tdb_init: /usr/lib64/samba/en_US.UTF-8.msg: No such file or 
directory
NT_STATUS_OK: Success (0x0)

I've added apache to the squid group so that ntlm_auth has access
to:

# ls -ld /var/cache/samba/winbindd_privileged/
drwxrwx--- 2 root squid 4096 May 21 14:15 
/var/cache/samba/winbindd_privileged/

In /etc/httpd/conf/httpd.conf I have:

<Directory "/var/www/html/cchem">
   AuthName "NTLM Authentication thingy"
   NTLMAuth on
   NTLMAuthHelper "/usr/bin/ntlm_auth -d100 
--helper-protocol=squid-2.5-ntlmssp"
   NTLMBasicAuthoritative on
   AuthType NTLM
   require valid-user
</Directory>

I get the following in /var/log/httpd/error_log
when I try to access http://www2.crc.dk/cchem from
a Windows PC where I'm logged in as pdc2:


[Mon May 21 14:51:59 2007] [debug] mod_auth_ntlm_winbind.c(1018): 
[client 172.20.17.28] doing ntlm auth dance, referer: http://www2.crc.dk/
[Mon May 21 14:51:59 2007] [debug] mod_auth_ntlm_winbind.c(482): [client 
172.20.17.28] Launched ntlm_helper, pid 22564, referer: http://www2.crc.dk/
[Mon May 21 14:51:59 2007] [debug] mod_auth_ntlm_winbind.c(652): [client 
172.20.17.28] creating auth user, referer: http://www2.crc.dk/
[Mon May 21 14:51:59 2007] [debug] mod_auth_ntlm_winbind.c(703): [client 
172.20.17.28] parsing reply from helper to YR 
TlRMTVNTUAABAAAAB7IAogYABgAtAAAABQAFACgAAAAFAJMIAAAAD1RFU1QyQ1JDTkVU\n, 
referer: http://www2.crc.dk/
[2007/05/21 14:51:59, 5] lib/debug.c:debug_dump_status(391)
   INFO: Current debug levels:
     all: True/100
     tdb: False/0
     printdrivers: False/0
     lanman: False/0
     smb: False/0
     rpc_parse: False/0
     rpc_srv: False/0
     rpc_cli: False/0
     passdb: False/0
     sam: False/0
     auth: False/0
     winbind: False/0
     vfs: False/0
     idmap: False/0
     quota: False/0
     acls: False/0
     locking: False/0
     msdfs: False/0
     dmapi: False/0
[2007/05/21 14:51:59, 10] utils/ntlm_auth.c:manage_squid_request(1615)
   Got 'YR 
TlRMTVNTUAABAAAAB7IAogYABgAtAAAABQAFACgAAAAFAJMIAAAAD1RFU1QyQ1JDTkVU' 
from squid (length: 71).
[2007/05/21 14:51:59, 10] 
utils/ntlm_auth.c:manage_squid_ntlmssp_request(590)
   got NTLMSSP packet:
[2007/05/21 14:51:59, 10] lib/util.c:dump_data(2237)
   [000] 4E 54 4C 4D 53 53 50 00  01 00 00 00 07 B2 00 A2  NTLMSSP. ........
   [010] 06 00 06 00 2D 00 00 00  05 00 05 00 28 00 00 00  ....-... ....(...
   [020] 05 00 93 08 00 00 00 0F  54 45 53 54 32 43 52 43  ........ TEST2CRC
   [030] 4E 45 54                                          NET
[2007/05/21 14:51:59, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
   Got NTLMSSP neg_flags=0xa200b207
     NTLMSSP_NEGOTIATE_UNICODE
     NTLMSSP_NEGOTIATE_OEM
     NTLMSSP_REQUEST_TARGET
     NTLMSSP_NEGOTIATE_NTLM
     NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED
     NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED
     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
     NTLMSSP_NEGOTIATE_128
     NTLMSSP_NEGOTIATE_56
[2007/05/21 14:51:59, 10] 
utils/ntlm_auth.c:manage_squid_ntlmssp_request(600)
   NTLMSSP challenge
[2007/05/21 14:51:59, 10] utils/ntlm_auth.c:manage_squid_request(1615)
   Got '' from squid (length: 89).
[2007/05/21 14:51:59, 2] utils/ntlm_auth.c:manage_squid_request(1618)
   Invalid Request
ERR
[2007/05/21 14:51:59, 10] utils/ntlm_auth.c:manage_squid_request(1615)
   Got '' from squid (length: 6).
[2007/05/21 14:51:59, 2] utils/ntlm_auth.c:manage_squid_request(1618)
   Invalid Request
ERR
[2007/05/21 14:51:59, 10] utils/ntlm_auth.c:manage_squid_request(1615)
   Got '' from squid (length: 31).
[2007/05/21 14:51:59, 2] utils/ntlm_auth.c:manage_squid_request(1618)
   Invalid Request
ERR
[2007/05/21 14:51:59, 10] utils/ntlm_auth.c:manage_squid_request(1615)
   Got '' from squid (length: 0).
[2007/05/21 14:51:59, 2] utils/ntlm_auth.c:manage_squid_request(1618)
   Invalid Request
ERR
[Mon May 21 14:51:59 2007] [debug] mod_auth_ntlm_winbind.c(741): [client 
172.20.17.28] got response: TT 
TlRMTVNTUAACAAAADAAMADAAAAAFgoGiT1inioSWz5sAAAAAAAAAAFYAVgA8AAAAQwBSAEMATgBFAFQAAgAMAEMAUgBDAE4ARQBUAAEADgBTAEUAUgBWAEUAUgAxAAQADABjAHIAYwAuAGQAawADABwAcwBlAHIAdgBlAHIAMQAuAGMAcgBjAC4AZABrAAAAAAA=,
referer: http://www2.crc.dk/
[2007/05/21 14:51:59, 10] utils/ntlm_auth.c:manage_squid_request(1615)
[Mon May 21 14:51:59 2007] [debug] mod_auth_ntlm_winbind.c(411): [client 
172.20.17.28] sending back 
TlRMTVNTUAACAAAADAAMADAAAAAFgoGiT1inioSWz5sAAAAAAAAAAFYAVgA8AAAAQwBSAEMATgBFAFQAAgAMAEMAUgBDAE4ARQBUAAEADgBTAEUAUgBWAEUAUgAxAAQADABjAHIAYwAuAGQAawADABwAcwBlAHIAdgBlAHIAMQAuAGMAcgBjAC4AZABrAAAAAAA=,
referer: http://www2.crc.dk/
   Got 'This is intended to read lines from modules imported -- hence 
if a filPãÐ]ÿ^?' from squid (length: 127).
[2007/05/21 14:51:59, 1] utils/ntlm_auth.c:manage_squid_ntlmssp_request(578)
   NTLMSSP query [This is intended to read lines from modules imported 
-- hence if a filPãÐ]ÿ^?] invalidGot '<88>nUU' from squid (length:
16).
[2007/05/21 14:51:59, 1] utils/ntlm_auth.c:manage_squid_ntlmssp_request(578)
   NTLMSSP query [<88>nUU] invalidGot 'that name.' from squid
(length: 10).
[2007/05/21 14:51:59, 1] utils/ntlm_auth.c:manage_squid_ntlmssp_request(578)
   NTLMSSP query [that name.] invalidGot 'Nt^G' from squid (length: 14).
[2007/05/21 14:51:59, 1] utils/ntlm_auth.c:manage_squid_ntlmssp_request(578)
   NTLMSSP query [Nt^G] invalidGot '' from squid (length: 14).
[2007/05/21 14:51:59, 2] utils/ntlm_auth.c:manage_squid_request(1618)
   Invalid Request
ERR


Any suggestions?

Mogens

-- 
Mogens Kjaer, Carlsberg A/S, Computer Department
Gamle Carlsberg Vej 10, DK-2500 Valby, Denmark
Phone: +45 33 27 53 25, Fax: +45 33 27 47 08
Email: mk@crc.dk Homepage: http://www.crc.dk

Mogens Kjaer wrote:
> Scenario:
> 
> Centos 5 x86_64 machine with samba-3.0.23c-2.el5.2.0.2
1. I tried 3.0.25 from sources. No go.
2. I reinstalled Centos 5, this time the i386 version.
    This helped a bit (I no longer get all the junk in
    error_log), but I still can't authenticate.
3. Use the perl module Apache2::AuthenNTLM instead.
    This works! However, it is only NTLMv1, so Vista
    clients need the modification mentionen on:
http://css.psu.edu/news/nlsp07/vista.html

Mogens

-- 
Mogens Kjaer, Carlsberg A/S, Computer Department
Gamle Carlsberg Vej 10, DK-2500 Valby, Denmark
Phone: +45 33 27 53 25, Fax: +45 33 27 47 08
Email: mk@crc.dk Homepage: http://www.crc.dk

On Mon, 2007-05-21 at 15:01 +0200, Mogens Kjaer wrote:
> Scenario:
> 
> Centos 5 x86_64 machine with samba-3.0.23c-2.el5.2.0.2
> 
> The machine is a PDC, Windows 2000 users logon, get
> profiles, etc.
> 
> I'm trying to set up a folder in apache that uses
> NTLM authentication using mod_auth_ntlm_winbind.
> [2007/05/21 14:51:59, 10] utils/ntlm_auth.c:manage_squid_request(1615)
>    Got '' from squid (length: 89).
> [2007/05/21 14:51:59, 2] utils/ntlm_auth.c:manage_squid_request(1618)
>    Invalid Request
> ERR
>    Got 'This is intended to read lines from modules imported -- hence 
> if a filP???]??^?' from squid (length: 127).
> 
> Any suggestions?
Something is sending very weird things down the pipe to ntlm_auth.  It's
been a long while since I worked on this, but chase down that cross-talk
and you should be able to make this work. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20070525/c29c4d51/attachment.bin