subject:"Bug#807588\: libapache2\-mod\-auth\-ntlm\-winbind\: failed to write NTLMSSP string to helper \- wrote 0 bytes"

Bug#807588: libapache2-mod-auth-ntlm-winbind: failed to write NTLMSSP string to helper - wrote 0 bytes

2016-01-08 Thread Olivier Bitsch

Thanks for the update,

For strange reason, the bug disappeared since I installed
libapache2-mod-php5 (strange isn't?). I don't know what is related to this
module, but now my authentication is working very well.

Regarding security, we use NTLM in internal network only, I already tried
to use libapache2-mod-auth-kerb, but seems much more complicated to use.

Anyway, thanks for your answer, I suggest this ticket can be closed.

Regards.

Olivier.

2016-01-08 0:16 GMT+01:00 Olly Betts :

> On Thu, Dec 10, 2015 at 04:03:21PM +0100, Olivier Bitsch wrote:
> > Dear team,
>
> This package isn't team-maintained.
>
> > I'm currently trying to configure NTLM authentication with Apache and
> > Winbind, unfortunately, the system is quite unstable. I used the same
> > setup without any problem with Wheezy version. Basically, the
> > authentication is working, but sometime, Apache results to a 500 error
> > due to winbind fatal error.
>
> I packaged this module as it was being used by one of my clients in a
> project, but they've switched to using libapache2-mod-auth-kerb instead,
> so I no longer have access to an environment where I can test the
> package.
>
> NTLM is also better avoided if you can, as the package description warns:
>
>  If you're considering using this module, you should be aware that NTLM
>  isn't regarded as very secure by modern standards - even Microsoft no
>  longer recommends its use - and where possible, you probably want to use
>  Kerberos with negotiate auth over https instead (see Debian package
>  libapache2-mod-auth-kerb).
>
> I was thinking I should either orphan this package or request it be removed
> before stretch - mostly I haven't because I'm unsure which makes more
> sense.
> NTLM has security concerns, but AIUI negotiate auth over http (rather than
> https) suffers from connection hijack issues, but I don't know how it
> compares in overall security terms with NTLM if you aren't able to use
> https.
>
> I think I should probably just orphan it (which I've now done), and I can
> always do a "RoQA" removal if nobody else wants to pick it up.
>
> Anyway, I'm afraid I'm unlikely to be able to help much with this bug.  The
> module is mostly just glue code between apache and the /usr/bin/ntlm_auth
> helper in the winbind package - the latter does the actual authentication,
> so the problem may lie there.
>
> We did find the authentication was a bit randomly flaky, though I don't
> recall if the symptoms matched those you see.
>
> Cheers,
> Olly
>

Bug#807588: libapache2-mod-auth-ntlm-winbind: failed to write NTLMSSP string to helper - wrote 0 bytes

2016-01-07 Thread Olly Betts

On Thu, Dec 10, 2015 at 04:03:21PM +0100, Olivier Bitsch wrote:
> Dear team,

This package isn't team-maintained.

> I'm currently trying to configure NTLM authentication with Apache and
> Winbind, unfortunately, the system is quite unstable. I used the same
> setup without any problem with Wheezy version. Basically, the
> authentication is working, but sometime, Apache results to a 500 error
> due to winbind fatal error.

I packaged this module as it was being used by one of my clients in a
project, but they've switched to using libapache2-mod-auth-kerb instead,
so I no longer have access to an environment where I can test the
package.

NTLM is also better avoided if you can, as the package description warns:

 If you're considering using this module, you should be aware that NTLM
 isn't regarded as very secure by modern standards - even Microsoft no
 longer recommends its use - and where possible, you probably want to use
 Kerberos with negotiate auth over https instead (see Debian package
 libapache2-mod-auth-kerb).

I was thinking I should either orphan this package or request it be removed
before stretch - mostly I haven't because I'm unsure which makes more sense.
NTLM has security concerns, but AIUI negotiate auth over http (rather than
https) suffers from connection hijack issues, but I don't know how it
compares in overall security terms with NTLM if you aren't able to use
https.

I think I should probably just orphan it (which I've now done), and I can
always do a "RoQA" removal if nobody else wants to pick it up.

Anyway, I'm afraid I'm unlikely to be able to help much with this bug.  The
module is mostly just glue code between apache and the /usr/bin/ntlm_auth
helper in the winbind package - the latter does the actual authentication,
so the problem may lie there.

We did find the authentication was a bit randomly flaky, though I don't
recall if the symptoms matched those you see.

Cheers,
Olly

Bug#807588: libapache2-mod-auth-ntlm-winbind: failed to write NTLMSSP string to helper - wrote 0 bytes

2015-12-10 Thread Olivier Bitsch

Package: libapache2-mod-auth-ntlm-winbind
Version: 0.0.0.lorikeet+svn+801-4
Severity: important
Tags: upstream



-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libapache2-mod-auth-ntlm-winbind depends on:
ii  apache2-bin [apache2-api-20120211]  2.4.10-10+deb8u3
ii  libc6   2.19-18+deb8u1
ii  winbind 2:4.1.17+dfsg-2

libapache2-mod-auth-ntlm-winbind recommends no packages.

libapache2-mod-auth-ntlm-winbind suggests no packages.

-- no debconf information

Dear team,

I'm currently trying to configure NTLM authentication with Apache and
Winbind, unfortunately, the system is quite unstable. I used the same
setup without any problem with Wheezy version. Basically, the
authentication is working, but sometime, Apache results to a 500 error
due to winbind fatal error.

apache error:

[Wed Dec 09 15:52:45.034561 2015] [auth_ntlm_winbind:debug] [pid
991:tid 140251209066240] mod_auth_ntlm_winbind.c(1023): [client
172.25.136.113:60780] doing ntlm auth dance
[Wed Dec 09 15:52:45.034566 2015] [auth_ntlm_winbind:debug] [pid
991:tid 140251209066240] mod_auth_ntlm_winbind.c(489): [client
172.25.136.113:60780] Using existing auth helper 1451
[Wed Dec 09 15:52:45.034569 2015] [auth_ntlm_winbind:debug] [pid
991:tid 140251209066240] mod_auth_ntlm_winbind.c(657): [client
172.25.136.113:60780] creating auth user
[Wed Dec 09 15:52:45.034576 2015] [auth_ntlm_winbind:debug] [pid
991:tid 140251209066240] mod_auth_ntlm_winbind.c(698): [client
172.25.136.113:60780] failed to write NTLMSSP string to helper - wrote 0
bytes

winbind error:

[2015/12/09 16:22:59.520222, 5]
.../source3/winbindd/winbindd_pam.c:180(append_unix_username)
Setting unix username to [olivierb]
[2015/12/09 16:22:59.520258, 5]
.../source3/winbindd/winbindd_pam.c:2003(winbindd_dual_pam_auth_crap)
NTLM CRAP authentication for user [EUROPE]\[olivierb] returned
NT_STATUS_OK (PAM: 0)
[2015/12/09 16:22:59.520283, 4]
.../source3/winbindd/winbindd_dual.c:1346(child_handler)
Finished processing child request 14
[2015/12/09 16:22:59.521614, 4]
.../source3/winbindd/winbindd_dual.c:1338(child_handler)
child daemon request 14
[2015/12/09 16:22:59.521654, 3]
.../source3/winbindd/winbindd_pam.c:1896(winbindd_dual_pam_auth_crap)
[ 730]: pam auth crap domain: EUROPE user: olivierb
[2015/12/09 16:22:59.521686, 5]
.../libcli/auth/credentials.c:146(netlogon_creds_step)
seed 6363d063:94cad84d
[2015/12/09 16:22:59.521711, 5]
.../libcli/auth/credentials.c:151(netlogon_creds_step)
seed+time b9cc02c4:94cad84d
[2015/12/09 16:22:59.521735, 5]
.../libcli/auth/credentials.c:156(netlogon_creds_step)
CLIENT 8be40e66:9cc2d67e
[2015/12/09 16:22:59.521758, 5]
.../libcli/auth/credentials.c:162(netlogon_creds_step)
seed+time+1 b9cc02c5:94cad84d
[2015/12/09 16:22:59.521782, 5]
.../libcli/auth/credentials.c:167(netlogon_creds_step)
SERVER f91ffc67:cd8cdad5
[2015/12/09 16:22:59.521828, 5]
.../source3/rpc_client/cli_pipe.c:761(rpc_api_pipe_send)
rpc_api_pipe: host S217124RGVW209.europe.EASYJET.LOCAL
[2015/12/09 16:22:59.555846, 5]
.../source3/rpc_client/cli_pipe.c:100(rpc_read_send)
rpc_read_send: data_to_read: 40
[2015/12/09 16:22:59.555919, 2]
.../source3/winbindd/winbindd_pam.c:2003(winbindd_dual_pam_auth_crap)
NTLM CRAP authentication for user [EUROPE]\[olivierb] returned
NT_STATUS_WRONG_PASSWORD (PAM: 7)
[2015/12/09 16:22:59.555951, 4]
.../source3/winbindd/winbindd_dual.c:1346(child_handler)
Finished processing child request 14

Here my config files :

smb.conf:

[global]
netbios name = XXX
workgroup = EUROPE
security = ads
realm = EUROPE.XXX.LOCAL
encrypt passwords = yes
password server = xxx.xxx.local

idmap config *:backend = tdb
idmap config *:range = 70001-8
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 500-4

winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = no
winbind enum groups = no

vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes

dns proxy = no
wins support = no

log level = 7

client schannel = no
client ntlmv2 auth = yes
client use spnego = yes

apache:


NTLMAuth on
AuthType NTLM
AuthName "Redmine NTLM Authentication"
NTLMAuthHelper "/usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
require valid-user

Bug#807588: libapache2-mod-auth-ntlm-winbind: failed to write NTLMSSP string to helper - wrote 0 bytes

Bug#807588: libapache2-mod-auth-ntlm-winbind: failed to write NTLMSSP string to helper - wrote 0 bytes

Bug#807588: libapache2-mod-auth-ntlm-winbind: failed to write NTLMSSP string to helper - wrote 0 bytes

3 matches

Site Navigation

Mail list logo

Footer information