Hello, there was a patch on samba-technical "[PATCH] mod_auth_ntlm_winbind - new feature to omit domain name from username". Maybe this patch helps for your problem?
Cheers Stefan Am Mittwoch, 18. April 2007 15:52 schrieb Serguei: > Hallo, > > We protect linux/apache server with mod_auth_ntlm_winbind.so to > authenticate users with their domain accounts. The server is joined into > windows domain (Windows 2003 Server). Apache/mod_auth_ntlm_winbind.so is > configured for NTLM+SPNEGO authentication. So far users can login when > providing valid credentials. > > Users login into their windows workstation (Windows XP SP2 IE/Firefox) > with local accounts (not domain accounts) and access applications from > Internet, because they normally work outside the office. Local account > name/password matches domain account name/password. Thus we supposed to > provide a Single Signon between workstation and web applications. > Browsers when properly configured (IE -> [x] Integrated Windows > Authentication+site in the Intranet Zone, Firefox -> > network.automatic-ntlm-auth.trusted-uris, > network.negotiate-auth.trusted-uris settings) can forward users local > account credentials to the web server. This seamless authentication > works fine with IIS but fails with winbindd/mod_auth_ntlm_winbind.so > with error 500 (both IE and Firefox) > > Apache log: > [Wed Apr 18 15:20:02 2007] [info] Initial (No.1) HTTPS request received > for child 3 (server intradev.haching.lan:443) > [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(482): [client > 192.168.31.39] Launched ntlm_helper, pid 3745 > [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(652): [client > 192.168.31.39] creating auth user > [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(703): [client > 192.168.31.39] parsing reply from helper to YR > TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==\n > [2007/04/18 15:20:02, 1] utils/ntlm_auth.c:manage_gss_spnego_request(1110) > [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(741): [client > 192.168.31.39] got response: BH > [Wed Apr 18 15:20:02 2007] [error] [client 192.168.31.39] (2)No such > file or directory: failed to parse response from helper > [Wed Apr 18 15:20:02 2007] [info] Connection to child 3 closed with > unclean shutdown(server intradev.haching.lan:443, client 192.168.31.39) > > Winbindd log. > [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943) > child daemon request 19 > [2007/04/18 15:20:01, 3] > nsswitch/winbindd_misc.c:winbindd_dual_list_trusted_domains(121) > [ 3698]: list trusted domains > [2007/04/18 15:20:01, 3] > nsswitch/winbindd_misc.c:winbindd_interface_version(491) > [ 0]: request interface version > [2007/04/18 15:20:01, 3] > nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524) > [ 0]: request location of privileged pipe > [2007/04/18 15:20:01, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1134) > [ 0]: getgroups root > [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943) > child daemon request 21 > [2007/04/18 15:20:01, 3] > nsswitch/winbindd_async.c:winbindd_dual_lookupname(721) > [ 3698]: lookupname HACHING\root > [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943) > child daemon request 42 > [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943) > child daemon request 54 > [2007/04/18 15:20:01, 3] > nsswitch/winbindd_async.c:winbindd_dual_getsidaliases(950) > [ 3698]: getsidaliases > ... > > "getgroups root" is already strange here. And there is no HACHING\root > user. where does it come from? Of course winbind cannot lookup this > name. Once again, authentication fail only when URL set as the browser's > trusted site. When I take the site out of browser's trusted site list > and login explicitly with the same account, everything is fine: > > Apache > [Wed Apr 18 15:40:15 2007] [info] Initial (No.1) HTTPS request received > for child 0 (server intradev.haching.lan:443) > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(1018): > [client 192.168.31.39] doing ntlm auth dance > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(482): [client > 192.168.31.39] Launched ntlm_helper, pid 3823 > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(652): [client > 192.168.31.39] creating auth user > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(703): [client > 192.168.31.39] parsing reply from helper to YR > TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=\n > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(741): [client > 192.168.31.39] got response: TT > TlRMTVNTUAACAAAADgAOADAAAAAFgokAugsuTuGQirUAAAAAAAAAAHAAcAA+AAAASABBAEMASAB >JAE4ARwACAA4ASABBAEMASABJAE4ARwABABAASQBOAFQAUgBBAEQARQBWAAQAFgBoAGEAYwBoAGk >AbgBnAC4AbABhAG4AAwAoAGkAbgB0AHIAYQBkAGUAdgAuAGgAYQBjAGgAaQBuAGcALgBsAGEAbgA >AAAAA [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(411): > [client 192.168.31.39] sending back > TlRMTVNTUAACAAAADgAOADAAAAAFgokAugsuTuGQirUAAAAAAAAAAHAAcAA+AAAASABBAEMASAB >JAE4ARwACAA4ASABBAEMASABJAE4ARwABABAASQBOAFQAUgBBAEQARQBWAAQAFgBoAGEAYwBoAGk >AbgBnAC4AbABhAG4AAwAoAGkAbgB0AHIAYQBkAGUAdgAuAGgAYQBjAGgAaQBuAGcALgBsAGEAbgA >AAAAA [Wed Apr 18 15:40:15 2007] [info] Subsequent (No.2) HTTPS request > received for child 0 (server intradev.haching.lan:443) > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(1018): > [client 192.168.31.39] doing ntlm auth dance > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(484): [client > 192.168.31.39] Using existing auth helper 3823 > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(703): [client > 192.168.31.39] parsing reply from helper to KK > TlRMTVNTUAADAAAAGAAYAFYAAAAYABgAbgAAAAAAAABAAAAADAAMAEAAAAAKAAoATAAAAAAAAAA >AAAAABYIIAHMAdAByAGkAZwBvAE0ASQBOAFMASwD+aA0tazQbRgAAAAAAAAAAAAAAAAAAAAD0zO3 >8BWoCtpXTgGPJMKm63kcbe4fTWd4=\n [Wed Apr 18 15:40:15 2007] [debug] > mod_auth_ntlm_winbind.c(741): [client 192.168.31.39] got response: AF > testuser > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(787): [client > 192.168.31.39] authenticated testuser > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(961): [client > 192.168.31.39] retaining user testuser > [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(962): [client > 192.168.31.39] keepalives: 1 > > Winbind: > [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint8(615) > 0132 id_auth[4] : 00 > [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint8(615) > 0133 id_auth[5] : 05 > [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint32s(991) > 0134 sub_auths : 00000015 e39fded7 4e0574bc 369b5347 > [2007/04/18 15:40:15, 5] > nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1800) > Setting unix username to [testuser] > [2007/04/18 15:40:15, 5] > nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1848) > NTLM CRAP authentication for user [HACHING]\[testuser] returned > NT_STATUS_OK (PAM: 0) > > Below is some configuration info > > Web Server: Suse 10, Apache 2.0.58, winbindd 3.0.24 > > smb.conf > [global] > usershare allow guests = No > workgroup = HACHING > realm = HACHING.LAN > idmap uid = 10000-20000 > idmap gid = 10000-20000 > security = domain > #password server = sun.haching.lan > winbind use default domain = yes > > mod_auth_ntlm_winbind.so configuration > AuthName "NTLM Authentication thingy" > NTLMAuth on > NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" > NegotiateAuth on > NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego" > NTLMBasicAuthoritative on > AuthType Negotiate > AuthType NTLM > require valid-user > > Tests like net rpc testjoin, wbinfo -u, wbinfo -g, ntlm_auth > --username=testuser > are ok. > > Any ideas are welcome, > > regards, > Serguei -- Stefan Gohmann Entwicklung [EMAIL PROTECTED] Univention GmbH Linux for your Business fon: +49 421 22 232- 0 Mary-Somerville-Str.1 28359 Bremen fax: +49 421 22 232-99 http://www.univention.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba