Bug#807588: libapache2-mod-auth-ntlm-winbind: failed to write NTLMSSP string to helper - wrote 0 bytes
Thanks for the update, For strange reason, the bug disappeared since I installed libapache2-mod-php5 (strange isn't?). I don't know what is related to this module, but now my authentication is working very well. Regarding security, we use NTLM in internal network only, I already tried to use libapache2-mod-auth-kerb, but seems much more complicated to use. Anyway, thanks for your answer, I suggest this ticket can be closed. Regards. Olivier. 2016-01-08 0:16 GMT+01:00 Olly Betts: > On Thu, Dec 10, 2015 at 04:03:21PM +0100, Olivier Bitsch wrote: > > Dear team, > > This package isn't team-maintained. > > > I'm currently trying to configure NTLM authentication with Apache and > > Winbind, unfortunately, the system is quite unstable. I used the same > > setup without any problem with Wheezy version. Basically, the > > authentication is working, but sometime, Apache results to a 500 error > > due to winbind fatal error. > > I packaged this module as it was being used by one of my clients in a > project, but they've switched to using libapache2-mod-auth-kerb instead, > so I no longer have access to an environment where I can test the > package. > > NTLM is also better avoided if you can, as the package description warns: > > If you're considering using this module, you should be aware that NTLM > isn't regarded as very secure by modern standards - even Microsoft no > longer recommends its use - and where possible, you probably want to use > Kerberos with negotiate auth over https instead (see Debian package > libapache2-mod-auth-kerb). > > I was thinking I should either orphan this package or request it be removed > before stretch - mostly I haven't because I'm unsure which makes more > sense. > NTLM has security concerns, but AIUI negotiate auth over http (rather than > https) suffers from connection hijack issues, but I don't know how it > compares in overall security terms with NTLM if you aren't able to use > https. > > I think I should probably just orphan it (which I've now done), and I can > always do a "RoQA" removal if nobody else wants to pick it up. > > Anyway, I'm afraid I'm unlikely to be able to help much with this bug. The > module is mostly just glue code between apache and the /usr/bin/ntlm_auth > helper in the winbind package - the latter does the actual authentication, > so the problem may lie there. > > We did find the authentication was a bit randomly flaky, though I don't > recall if the symptoms matched those you see. > > Cheers, > Olly >
Bug#807588: libapache2-mod-auth-ntlm-winbind: failed to write NTLMSSP string to helper - wrote 0 bytes
On Thu, Dec 10, 2015 at 04:03:21PM +0100, Olivier Bitsch wrote: > Dear team, This package isn't team-maintained. > I'm currently trying to configure NTLM authentication with Apache and > Winbind, unfortunately, the system is quite unstable. I used the same > setup without any problem with Wheezy version. Basically, the > authentication is working, but sometime, Apache results to a 500 error > due to winbind fatal error. I packaged this module as it was being used by one of my clients in a project, but they've switched to using libapache2-mod-auth-kerb instead, so I no longer have access to an environment where I can test the package. NTLM is also better avoided if you can, as the package description warns: If you're considering using this module, you should be aware that NTLM isn't regarded as very secure by modern standards - even Microsoft no longer recommends its use - and where possible, you probably want to use Kerberos with negotiate auth over https instead (see Debian package libapache2-mod-auth-kerb). I was thinking I should either orphan this package or request it be removed before stretch - mostly I haven't because I'm unsure which makes more sense. NTLM has security concerns, but AIUI negotiate auth over http (rather than https) suffers from connection hijack issues, but I don't know how it compares in overall security terms with NTLM if you aren't able to use https. I think I should probably just orphan it (which I've now done), and I can always do a "RoQA" removal if nobody else wants to pick it up. Anyway, I'm afraid I'm unlikely to be able to help much with this bug. The module is mostly just glue code between apache and the /usr/bin/ntlm_auth helper in the winbind package - the latter does the actual authentication, so the problem may lie there. We did find the authentication was a bit randomly flaky, though I don't recall if the symptoms matched those you see. Cheers, Olly
Bug#807588: libapache2-mod-auth-ntlm-winbind: failed to write NTLMSSP string to helper - wrote 0 bytes
Package: libapache2-mod-auth-ntlm-winbind Version: 0.0.0.lorikeet+svn+801-4 Severity: important Tags: upstream -- System Information: Debian Release: 8.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libapache2-mod-auth-ntlm-winbind depends on: ii apache2-bin [apache2-api-20120211] 2.4.10-10+deb8u3 ii libc6 2.19-18+deb8u1 ii winbind 2:4.1.17+dfsg-2 libapache2-mod-auth-ntlm-winbind recommends no packages. libapache2-mod-auth-ntlm-winbind suggests no packages. -- no debconf information Dear team, I'm currently trying to configure NTLM authentication with Apache and Winbind, unfortunately, the system is quite unstable. I used the same setup without any problem with Wheezy version. Basically, the authentication is working, but sometime, Apache results to a 500 error due to winbind fatal error. apache error: [Wed Dec 09 15:52:45.034561 2015] [auth_ntlm_winbind:debug] [pid 991:tid 140251209066240] mod_auth_ntlm_winbind.c(1023): [client 172.25.136.113:60780] doing ntlm auth dance [Wed Dec 09 15:52:45.034566 2015] [auth_ntlm_winbind:debug] [pid 991:tid 140251209066240] mod_auth_ntlm_winbind.c(489): [client 172.25.136.113:60780] Using existing auth helper 1451 [Wed Dec 09 15:52:45.034569 2015] [auth_ntlm_winbind:debug] [pid 991:tid 140251209066240] mod_auth_ntlm_winbind.c(657): [client 172.25.136.113:60780] creating auth user [Wed Dec 09 15:52:45.034576 2015] [auth_ntlm_winbind:debug] [pid 991:tid 140251209066240] mod_auth_ntlm_winbind.c(698): [client 172.25.136.113:60780] failed to write NTLMSSP string to helper - wrote 0 bytes winbind error: [2015/12/09 16:22:59.520222, 5] .../source3/winbindd/winbindd_pam.c:180(append_unix_username) Setting unix username to [olivierb] [2015/12/09 16:22:59.520258, 5] .../source3/winbindd/winbindd_pam.c:2003(winbindd_dual_pam_auth_crap) NTLM CRAP authentication for user [EUROPE]\[olivierb] returned NT_STATUS_OK (PAM: 0) [2015/12/09 16:22:59.520283, 4] .../source3/winbindd/winbindd_dual.c:1346(child_handler) Finished processing child request 14 [2015/12/09 16:22:59.521614, 4] .../source3/winbindd/winbindd_dual.c:1338(child_handler) child daemon request 14 [2015/12/09 16:22:59.521654, 3] .../source3/winbindd/winbindd_pam.c:1896(winbindd_dual_pam_auth_crap) [ 730]: pam auth crap domain: EUROPE user: olivierb [2015/12/09 16:22:59.521686, 5] .../libcli/auth/credentials.c:146(netlogon_creds_step) seed 6363d063:94cad84d [2015/12/09 16:22:59.521711, 5] .../libcli/auth/credentials.c:151(netlogon_creds_step) seed+time b9cc02c4:94cad84d [2015/12/09 16:22:59.521735, 5] .../libcli/auth/credentials.c:156(netlogon_creds_step) CLIENT 8be40e66:9cc2d67e [2015/12/09 16:22:59.521758, 5] .../libcli/auth/credentials.c:162(netlogon_creds_step) seed+time+1 b9cc02c5:94cad84d [2015/12/09 16:22:59.521782, 5] .../libcli/auth/credentials.c:167(netlogon_creds_step) SERVER f91ffc67:cd8cdad5 [2015/12/09 16:22:59.521828, 5] .../source3/rpc_client/cli_pipe.c:761(rpc_api_pipe_send) rpc_api_pipe: host S217124RGVW209.europe.EASYJET.LOCAL [2015/12/09 16:22:59.555846, 5] .../source3/rpc_client/cli_pipe.c:100(rpc_read_send) rpc_read_send: data_to_read: 40 [2015/12/09 16:22:59.555919, 2] .../source3/winbindd/winbindd_pam.c:2003(winbindd_dual_pam_auth_crap) NTLM CRAP authentication for user [EUROPE]\[olivierb] returned NT_STATUS_WRONG_PASSWORD (PAM: 7) [2015/12/09 16:22:59.555951, 4] .../source3/winbindd/winbindd_dual.c:1346(child_handler) Finished processing child request 14 Here my config files : smb.conf: [global] netbios name = XXX workgroup = EUROPE security = ads realm = EUROPE.XXX.LOCAL encrypt passwords = yes password server = xxx.xxx.local idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = no winbind enum groups = no vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes dns proxy = no wins support = no log level = 7 client schannel = no client ntlmv2 auth = yes client use spnego = yes apache:NTLMAuth on AuthType NTLM AuthName "Redmine NTLM Authentication" NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" NTLMBasicAuthoritative on require valid-user