Re: [Samba] mod_ntlm_winbind / Apache2
On Sat, 2006-09-02 at 09:49 +1000, Andrew Bartlett wrote: > Because it needs to access either the secrets.tdb or a keytab, > gss-spnego is much more fragile than the NTLMSSP helper. We could make > it less fragile by handling the kerberos verification in winbindd, > rather than in the ntlm_auth binary. I'm not 100% sure of what you just said (my knowledge of kerberos stuff is very limited). My samba setup on this host is running as a member server in a Win2000 AD environment. Are you saying that I need to do some more kerberos setup outside of samba/winbind to get the gss-spnego helper to work? Thanks, Kevin. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind / Apache2
On Wed, 2006-08-30 at 02:33 +0930, Kevin Shanahan wrote: > On Wed, 2006-08-30 at 00:57 +0930, Kevin Shanahan wrote: > > On Tue, 2006-08-29 at 12:09 -0300, Felipe Augusto van de Wiel wrote: > > > Run it in a terminal, check for manpages of your > > > distribution, try to increase debug/log level. > > > > Wierd, it seems to work from the command line (I just pasted in the YR > > line from the previous log): > > > > # /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --debuglevel=10 > > Sorry for replying to myself too much; just wanted to point out that the > failing ntlm_auth call in Apache was the gss-spnego helper, so this > example doesn't make sense. It fails from the command line equally as it > does from Apache... Because it needs to access either the secrets.tdb or a keytab, gss-spnego is much more fragile than the NTLMSSP helper. We could make it less fragile by handling the kerberos verification in winbindd, rather than in the ntlm_auth binary. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind / Apache2
On Wed, 2006-08-30 at 00:57 +0930, Kevin Shanahan wrote: > On Tue, 2006-08-29 at 12:09 -0300, Felipe Augusto van de Wiel wrote: > > Run it in a terminal, check for manpages of your > > distribution, try to increase debug/log level. > > Wierd, it seems to work from the command line (I just pasted in the YR > line from the previous log): > > # /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --debuglevel=10 Sorry for replying to myself too much; just wanted to point out that the failing ntlm_auth call in Apache was the gss-spnego helper, so this example doesn't make sense. It fails from the command line equally as it does from Apache... > Regards, > Kevin. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind / Apache2
On Wed, 2006-08-30 at 00:57 +0930, Kevin Shanahan wrote: > On Tue, 2006-08-29 at 12:09 -0300, Felipe Augusto van de Wiel wrote: > > That's the reason of my question. BH is really bad. The > > helper probably is missing something. Try to strace the command > > and see what files it is trying to open. I don't know a easy way > > to test it (didn't had big problems with NTLM auth, and there is > > quite a while that I did not setup it again). > > I think the "file not found" message is coming from mod_ntlm_winbind, so > I'd need to strace apache for that. Here is the interesting stuff: 3039 read(12, "GET /auth-test HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\r\nAccept-Language: en-au\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\nHost: intranet.ucwb.org.au\r\nConnection: Keep-Alive\r\nAuthorization: Negotiate TlRMTVNTUAABB4IIogAFASgKDw==\r\n\r\n", 8000) = 461 3039 gettimeofday({1156866947, 939362}, NULL) = 0 3039 stat64("/var/www/auth-test", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 3039 open("/var/www/auth-test/.htaccess", O_RDONLY) = -1 ENOENT (No such file or directory) 3039 pipe([14, 15])= 0 3039 pipe([16, 17])= 0 3039 access("/usr/bin/ntlm_auth", R_OK|X_OK) = 0 3039 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7a2f0c8) = 3050 3039 close(14) = 0 3039 close(17) = 0 3039 gettimeofday({1156866947, 940817}, NULL) = 0 3039 write(7, "[Wed Aug 30 01:25:47 2006] [debug] mod_ntlm_winbind.c(529): [client 192.168.0.53] Launched ntlm_helper, pid 3050\n", 113) = 113 3039 gettimeofday({1156866947, 940972}, NULL) = 0 3039 write(7, "[Wed Aug 30 01:25:47 2006] [debug] mod_ntlm_winbind.c(699): [client 192.168.0.53] creating auth user\n", 101) = 101 3039 write(15, "YR TlRMTVNTUAABB4IIogAFASgKDw==\n", 60) = 60 3039 gettimeofday({1156866947, 941175}, NULL) = 0 3039 write(7, "[Wed Aug 30 01:25:47 2006] [debug] mod_ntlm_winbind.c(750): [client 192.168.0.53] parsing reply from helper to YR TlRMTVNTUAABB4IIogAFASgKDw==\\n\n", 173) = 173 3039 read(16, "B", 1) = 1 3039 read(16, "H", 1) = 1 3039 read(16, "\n", 1) = 1 3039 gettimeofday({1156866947, 988012}, NULL) = 0 3039 write(7, "[Wed Aug 30 01:25:47 2006] [debug] mod_ntlm_winbind.c(788): [client 192.168.0.53] got response: BH\n", 99) = 99 3039 gettimeofday({1156866947, 988131}, NULL) = 0 3039 write(7, "[Wed Aug 30 01:25:47 2006] [error] [client 192.168.0.53] (2)No such file or directory: failed to parse response from helper\n", 124) = 124 3039 close(16) = 0 3039 close(15) = 0 And ntlm_auth is now a zombie: # ps ax | grep ntlm 3050 ?Z 0:00 [ntlm_auth] Okay, I did another strace with -f to see what ntlm_auth is doing: - pid 3724 is ntlm_auth - pid 3707 is the apache process waiting for the response 3724 open("/usr/share/samba/valid.dat", O_RDONLY|O_LARGEFILE) = 3 3724 mmap2(NULL, 65536, PROT_READ, MAP_SHARED, 3, 0) = 0xb7b54000 3724 close(3) = 0 3724 fstat64(0, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 3724 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f1d000 3724 read(0, "YR TlRMTVNTUAABB4IIogAFASgKD2==\n", 4096) = 60 3724 time(NULL)= 1156868276 3724 geteuid32() = 33 3724 write(2, "[2006/08/30 01:47:56, 1] utils/ntlm_auth.c:manage_gss_spnego_request(859)\n", 74) = 74 3724 write(1, "BH\n", 3 3707 <... read resumed> "B", 1)= 1 3707 read(16, "H", 1) = 1 3707 read(16, "\n", 1) = 1 So, is there something wrong with the YR request or is ntlm_auth unhappy with what it found in valid.dat? I can't really see anything else... Regards, Kevin. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind / Apache2
On Tue, 2006-08-29 at 12:09 -0300, Felipe Augusto van de Wiel wrote: > Run it in a terminal, check for manpages of your > distribution, try to increase debug/log level. Wierd, it seems to work from the command line (I just pasted in the YR line from the previous log): # /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --debuglevel=10 [2006/08/30 00:52:32, 5] lib/debug.c:debug_dump_status(368) INFO: Current debug levels: all: True/10 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 YR TlRMTVNTUAABB4IIogAFASgKDw== [2006/08/30 00:52:37, 10] utils/ntlm_auth.c:manage_squid_request(1616) Got 'YR TlRMTVNTUAABB4IIogAFASgKDw==' from squid (length: 59). [2006/08/30 00:52:37, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(590) got NTLMSSP packet: [2006/08/30 00:52:37, 10] lib/util.c:dump_data(2058) [000] 4E 54 4C 4D 53 53 50 00 01 00 00 00 07 82 08 A2 NTLMSSP. [010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [020] 05 01 28 0A 00 00 00 0F ..(. [2006/08/30 00:52:37, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0xa2088207 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_NEGOTIATE_OEM NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_56 TT TlRMTVNTUAACCAAIADA1gokgSIGC95pLarAAAGIAYgA4VwBVAE0AMwACAAgAVwBVAE0AMwABAAwASABFAFIATQBFAFMABAAWAHUAYwB3AGIALgBvAHIAZwAuAGEAdQADACQAaABlAHIAbQBlAHMALgB1AGMAdwBiAC4AbwByAGcALgBhAHUAAA== [2006/08/30 00:52:37, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(600) NTLMSSP challenge > > Looking at http://devel.squid-cache.org/ntlm/squid_helper_protocol.html, > > it seems that the helper should be returning TT , but is > > returning BH instead. How can I get more information from the helper > > about what the problem is? > > That's the reason of my question. BH is really bad. The > helper probably is missing something. Try to strace the command > and see what files it is trying to open. I don't know a easy way > to test it (didn't had big problems with NTLM auth, and there is > quite a while that I did not setup it again). I think the "file not found" message is coming from mod_ntlm_winbind, so I'd need to strace apache for that. Does it mean anything that I get a BH if I try: # /usr/bin/ntlm_auth --helper-protocol=gss-spnego --debuglevel=10 [2006/08/30 00:50:23, 5] lib/debug.c:debug_dump_status(368) INFO: Current debug levels: all: True/10 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 YR TlRMTVNTUAABB4IIogAFASgKDw== [2006/08/30 00:51:03, 10] utils/ntlm_auth.c:manage_squid_request(1616) Got 'YR TlRMTVNTUAABB4IIogAFASgKDw==' from squid (length: 59). [2006/08/30 00:51:03, 1] utils/ntlm_auth.c:manage_gss_spnego_request(859) BH Unlikely, but is it possible that mod_ntlm_winbind is mixing up the helper command lines? Regards, Kevin. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind / Apache2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/29/2006 11:17 AM, Kevin Shanahan escreveu: > On Tue, 2006-08-29 at 10:56 -0300, Felipe Augusto van de Wiel wrote: > >>On 08/29/2006 10:47 AM, Kevin Shanahan escreveu: >>[...] >> >>>Internet Explorer still fails, but I see something in the logs now >>>(upped the LogLevel to debug, was at info before): >>> >>>[Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(529): [client >>>192.168.0.53] Launched ntlm_helper, pid 1849 >>>[Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(699): [client >>>192.168.0.53] creating auth user >>>[Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(750): [client >>>192.168.0.53] parsing reply from helper to YR >>>TlRMTVNTUAABB4IIogAFASgKDw==\n >>>[2006/08/29 23:02:37, 1] utils/ntlm_auth.c:manage_gss_spnego_request(859) >>>[Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(788): [client >>>192.168.0.53] got response: BH >>>[Tue Aug 29 23:02:37 2006] [error] [client 192.168.0.53] (2)No such file or >>>directory: failed to parse response from helper >>> >>>Where is the "No such file" error coming from? >> >> The helper is really working? Did you hand-tested it? > > > Can you describe how to do that? Run it in a terminal, check for manpages of your distribution, try to increase debug/log level. > Looking at http://devel.squid-cache.org/ntlm/squid_helper_protocol.html, > it seems that the helper should be returning TT , but is > returning BH instead. How can I get more information from the helper > about what the problem is? That's the reason of my question. BH is really bad. The helper probably is missing something. Try to strace the command and see what files it is trying to open. I don't know a easy way to test it (didn't had big problems with NTLM auth, and there is quite a while that I did not setup it again). > Regards, > Kevin. Kind regards, - -- Felipe Augusto van de Wiel <[EMAIL PROTECTED]> Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFE9FjDCj65ZxU4gPQRAgWlAKDAaQrOubtp/CN6dprx+FO9kSN9AwCgiiOW qztXQSkuT1vHslX+gYRBVgY= =Ll/F -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind / Apache2
On Tue, 2006-08-29 at 10:56 -0300, Felipe Augusto van de Wiel wrote: > On 08/29/2006 10:47 AM, Kevin Shanahan escreveu: > [...] > > Internet Explorer still fails, but I see something in the logs now > > (upped the LogLevel to debug, was at info before): > > > > [Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(529): [client > > 192.168.0.53] Launched ntlm_helper, pid 1849 > > [Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(699): [client > > 192.168.0.53] creating auth user > > [Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(750): [client > > 192.168.0.53] parsing reply from helper to YR > > TlRMTVNTUAABB4IIogAFASgKDw==\n > > [2006/08/29 23:02:37, 1] utils/ntlm_auth.c:manage_gss_spnego_request(859) > > [Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(788): [client > > 192.168.0.53] got response: BH > > [Tue Aug 29 23:02:37 2006] [error] [client 192.168.0.53] (2)No such file or > > directory: failed to parse response from helper > > > > Where is the "No such file" error coming from? > > The helper is really working? Did you hand-tested it? Can you describe how to do that? Looking at http://devel.squid-cache.org/ntlm/squid_helper_protocol.html, it seems that the helper should be returning TT , but is returning BH instead. How can I get more information from the helper about what the problem is? Regards, Kevin. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind / Apache2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/29/2006 10:47 AM, Kevin Shanahan escreveu: [...] > Internet Explorer still fails, but I see something in the logs now > (upped the LogLevel to debug, was at info before): > > [Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(529): [client > 192.168.0.53] Launched ntlm_helper, pid 1849 > [Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(699): [client > 192.168.0.53] creating auth user > [Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(750): [client > 192.168.0.53] parsing reply from helper to YR > TlRMTVNTUAABB4IIogAFASgKDw==\n > [2006/08/29 23:02:37, 1] utils/ntlm_auth.c:manage_gss_spnego_request(859) > [Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(788): [client > 192.168.0.53] got response: BH > [Tue Aug 29 23:02:37 2006] [error] [client 192.168.0.53] (2)No such file or > directory: failed to parse response from helper > > Where is the "No such file" error coming from? The helper is really working? Did you hand-tested it? Kind regards, - -- Felipe Augusto van de Wiel <[EMAIL PROTECTED]> Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFE9EeFCj65ZxU4gPQRAjIwAJ9FePaK0SVLLman3NISmRkdSHfaaQCgxWIb /8yoVpJGyPkJPmX9EJ+NS20= =+bsJ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind / Apache2
On Tue, 2006-08-29 at 09:16 -0300, Felipe Augusto van de Wiel wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 08/29/2006 08:03 AM, Kevin Shanahan escreveu: > > Hi, > > > > I'm trying to set up Apache2 with mod_ntlm_winbind so our Windows users > > can log onto our Intranet automatically without having to type in their > > username / password. > > Just a suggestion, kerberos could be a good way to achieve > Single Sign On. Do you need mod_ntlm_winbind? Not necessarily, it just looked to be preferred option from what I've been reading. It sounded like mod_ntlm is not maintained anymore... > And there is a nice document about NTLM Authentication that > just happen to be updated these days. > > http://davenport.sourceforge.net/ntlm.html This is interesting. Since the clients are all Win2000 or WinXP, perhaps I should be using the Negotiate mechanism. I changed the apache config to the following: AuthName "NTLM SPNEGO Authentication Test" NTLMAuth on NegotiateAuth on NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego" NTLMBasicAuthoritative on AuthType NTLM AuthType Negotiate require valid-user Internet Explorer still fails, but I see something in the logs now (upped the LogLevel to debug, was at info before): [Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(529): [client 192.168.0.53] Launched ntlm_helper, pid 1849 [Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(699): [client 192.168.0.53] creating auth user [Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(750): [client 192.168.0.53] parsing reply from helper to YR TlRMTVNTUAABB4IIogAFASgKDw==\n [2006/08/29 23:02:37, 1] utils/ntlm_auth.c:manage_gss_spnego_request(859) [Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(788): [client 192.168.0.53] got response: BH [Tue Aug 29 23:02:37 2006] [error] [client 192.168.0.53] (2)No such file or directory: failed to parse response from helper Where is the "No such file" error coming from? Firefox still behaves the same (need to specify DOMAIN\username), but here's the log: [Tue Aug 29 23:13:06 2006] [debug] mod_ntlm_winbind.c(1065): [client 192.168.0.53] doing ntlm auth dance [Tue Aug 29 23:13:06 2006] [debug] mod_ntlm_winbind.c(531): [client 192.168.0.53] Using existing auth helper 1882 [Tue Aug 29 23:13:06 2006] [debug] mod_ntlm_winbind.c(750): [client 192.168.0.53] parsing reply from helper to KK TlRMTVNTUAADGAAYAGIYABgAeggACABAEAAQAEgKAAoAWAAABYIIAFcAVQBNADMAawBtAHMAaABhAG4AYQBoAGkAdAAtADAAMADpnn4qP2ZWmgDKLcOjZ3fA8rytTY1MLpDw3MCBkqgnBos=\n [2006/08/29 23:13:06, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(662) Got user=[kmshanah] domain=[WUM3] workstation=[it-00] len1=24 len2=24 [2006/08/29 23:13:06, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338) NTLMSSP Sign/Seal - Initialising with flags: [2006/08/29 23:13:06, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0x00088235 [Tue Aug 29 23:13:06 2006] [debug] mod_ntlm_winbind.c(788): [client 192.168.0.53] got response: AF WUM3\\kmshanah [Tue Aug 29 23:13:06 2006] [debug] mod_ntlm_winbind.c(834): [client 192.168.0.53] authenticated WUM3\\kmshanah Not sure if that tells me anything new... Regards, Kevin. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind / Apache2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/29/2006 08:03 AM, Kevin Shanahan escreveu: > Hi, > > I'm trying to set up Apache2 with mod_ntlm_winbind so our Windows users > can log onto our Intranet automatically without having to type in their > username / password. Just a suggestion, kerberos could be a good way to achieve Single Sign On. Do you need mod_ntlm_winbind? I have good references of mod_ntlm. http://twiki.org/cgi-bin/view/Codev/TransparentAuthentication#Using_NTLM And there is a nice document about NTLM Authentication that just happen to be updated these days. http://davenport.sourceforge.net/ntlm.html [...] Anyway, I hope this helps. - -- Felipe Augusto van de Wiel <[EMAIL PROTECTED]> Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFE9DA4Cj65ZxU4gPQRAlbTAJ9zuthZMDY1fgddgc5RjtBUdD8TPACcCF/d 4nC04CuxD0VeDo2IrQmC4TA= =tN3e -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind
On Wed, 2006-06-07 at 05:42 -0400, Ciro Iriarte wrote: > Anybody using mod_ntlm_winbind?. I'm running SLES9 SP3 and i'mt having > problems using it, I did the following: Yes. I am running it on Solaris 9 and 10. > > Compilation: > - > > So i went the apx2 route: > > apxs -DAPACHE2 -c -i mod_ntlm_winbind.c <-- works This is the same way I built the module. > > Configuration > > > --.htaccess-- > AuthName "NTLM Authentication thingy" > NTLMBasicAuth on > NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp -d > 400" > NTLMBasicAuthoritative on > AuthType NTLM > require valid-user I added a Directory entry into my Apache conf file. The settings we have are the same except I did not use "-d 400". Check that /usr/bin/ntlm_auth exists. > > --perms for apache2 user-- > setfacl -m u:wwwrun:rx /var/lib/samba/winbindd_privileged > > Testing > -- > > Well, accesing the page asks for user/password, if i give "usrjoe" + > "mypasswd" it gives me an 401 error code. If i enter "DOMAIN\usrjose" + > "mypassword", I get an 500 error code and find this in error_log: You should not have to provide DOMAIN\ as Samba handles the domain settings etc. > > [Wed Jun 07 04:26:09 2006] [error] [client 10.129.7.146] (2)No such file or > directory: couldn't spawn child ntlm helper process: ntlm_auth, referer: > http://10.129.4.50/nagios/side.html Seems to suggest a missing ntlm_auth binary file? As above, check that /usr/bin/ntlm_auth exists. > > I hope you understand my messed explanation, and help me if you have any > idea about my possible mistakes, i tried many configuration variations, but > these is the simplest one Also, aside from all of this, have you joined the domain using Samba and started nmbd and winbindd etc? Just things to check. > > Ciro Iriarte > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind on Apache vs. IE6, no POST method
On Mon, 2005-10-10 at 11:42 +0200, Collen Blijenberg wrote: > Is the mod_ntlm_winbind already apache 2.XX ready ?? > or is it still written for the 1.3.XX version ? A team assembled to build an apache 2.0 version, but it's been ported yet. The closest we have is: http://source.grep.no/ however there are issues with that module. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc.http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind on Apache vs. IE6, no POST method
Is the mod_ntlm_winbind already apache 2.XX ready ?? or is it still written for the 1.3.XX version ? Collen Andrew Bartlett wrote: On Mon, 2005-10-03 at 14:34 -0600, Todd Garrison wrote: Hello, I have setup mod_ntlm_winbind Firstly, I presume this is the version from lorikeet SVN? to provide authentication for an Apache 1.3.33 webserver running on Fedora Core 3. The authentication works, but I have run into a problem when using Internet Explorer. It seems that the problem might be with Internet Explorer itself, but here is what I think is happening - the browser will not submit any forms with a POST method on a website protected with NTLM Auth. Everything seems to work fine when using Firefox/Mozilla, but IE6 has a problem. Attached is the text extracted from a packet capture using both browsers: You can see that IE6 sends content-length: 0 and includes the NTLM hash again, whereas Firefox does not. Is this a bug in mod_ntlm_winbind, IE6, or just a configuration error? It looks like MSIE is avoiding resubmitting the POST twice for the multiple round trips of the NTLM exchange. Firefox is probably still sitting on an existing connection. So, I think the issue might be that apache is not handling the NTLM authentication request to the module, but we would need to see more server-side logs and a real (uncensored, unfortunately) packet capture. A small group of developers trying to take mod_ntlm_winbind further are gathering, I think we need to setup a public webpage and some contact details... Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind on Apache vs. IE6, no POST method
Thanks Ed, It might be related - but the problems happen on both SSL and non-SSL connections. I do get the feeling that there have been a bunch of similar bugs (features?) in IE6. I guess since it only happens when using NTLM auth it really can't be called a bug since there is no actual protocol specification. Todd Garrison > Apparently there's a bug in IE6 that occurs only with POST requests over > HTTPS when using keep-alive which is required for NTLM authentication. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind on Apache vs. IE6, no POST method
On Mon, Oct 03, 2005 at 02:34:22PM -0600, Todd Garrison wrote: > I have setup mod_ntlm_winbind to provide authentication for an Apache > 1.3.33 webserver running on Fedora Core 3. The authentication works, > but I have run into a problem when using Internet Explorer. > > It seems that the problem might be with Internet Explorer itself, but > here is what I think is happening - the browser will not submit any > forms with a POST method on a website protected with NTLM Auth. > > Everything seems to work fine when using Firefox/Mozilla, but IE6 has > a problem. Attached is the text extracted from a packet capture using > both browsers: > You can see that IE6 sends content-length: 0 and includes the NTLM > hash again, whereas Firefox does not. > > Is this a bug in mod_ntlm_winbind, IE6, or just a configuration error? You never specified if you were using HTTP or HTTPS, but if you're using doing this over HTTPS you may find this link helpful: http://telanis.cns.ualberta.ca/index.txt Apparently there's a bug in IE6 that occurs only with POST requests over HTTPS when using keep-alive which is required for NTLM authentication. Ed Plese -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind on Apache vs. IE6, no POST method
Ha! Nevermind, that messes other things up . . . at least I tried. On 10/5/05, Todd Garrison <[EMAIL PROTECTED]> wrote: > Hi Andrew, > > The patch you commited to SVN seems to be working, but I ran into > another problem when dealing with 302 redirects, similar circumstance. > I played with the code a little and found something that seems to > work, but I probably just opened a gaping security hole? Here is a > diff from SVN . . . > > Todd Garrison > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind on Apache vs. IE6, no POST method
Hi Andrew, The patch you commited to SVN seems to be working, but I ran into another problem when dealing with 302 redirects, similar circumstance. I played with the code a little and found something that seems to work, but I probably just opened a gaping security hole? Here is a diff from SVN . . . Todd Garrison -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind on Apache vs. IE6, no POST method
On Mon, 2005-10-03 at 15:34 -0600, Todd Garrison wrote: > > Firstly, I presume this is the version from lorikeet SVN? > > Correct. > > > So, I think the issue might be that apache is not handling the NTLM > > authentication request to the module, but we would need to see more > > server-side logs and a real (uncensored, unfortunately) packet capture. > > I could get you a pcap file, okay if I send it to you directly, off-list? Sure. -- Andrew Bartletthttp://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc.http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind on Apache vs. IE6, no POST method
> Firstly, I presume this is the version from lorikeet SVN? Correct. > So, I think the issue might be that apache is not handling the NTLM > authentication request to the module, but we would need to see more > server-side logs and a real (uncensored, unfortunately) packet capture. I could get you a pcap file, okay if I send it to you directly, off-list? Thanks! Todd -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind on Apache vs. IE6, no POST method
On Mon, 2005-10-03 at 14:34 -0600, Todd Garrison wrote: > Hello, > > I have setup mod_ntlm_winbind Firstly, I presume this is the version from lorikeet SVN? > to provide authentication for an Apache > 1.3.33 webserver running on Fedora Core 3. The authentication works, > but I have run into a problem when using Internet Explorer. > > It seems that the problem might be with Internet Explorer itself, but > here is what I think is happening - the browser will not submit any > forms with a POST method on a website protected with NTLM Auth. > > Everything seems to work fine when using Firefox/Mozilla, but IE6 has > a problem. Attached is the text extracted from a packet capture using > both browsers: > You can see that IE6 sends content-length: 0 and includes the NTLM > hash again, whereas Firefox does not. > > Is this a bug in mod_ntlm_winbind, IE6, or just a configuration error? It looks like MSIE is avoiding resubmitting the POST twice for the multiple round trips of the NTLM exchange. Firefox is probably still sitting on an existing connection. So, I think the issue might be that apache is not handling the NTLM authentication request to the module, but we would need to see more server-side logs and a real (uncensored, unfortunately) packet capture. A small group of developers trying to take mod_ntlm_winbind further are gathering, I think we need to setup a public webpage and some contact details... Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc.http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind.. errors compiling
On Fri, 2005-09-02 at 14:30 +0200, (C)ollen wrote: > well i'm trying to fire up the mod_ntlm_winbind module for apache. > but i get alot of errors trying to compile it. > > i just downloaded it from ftp://ftp.samba.org/pub/unpacked/mod_ntlm_winbind/ Unfortunately this is the wrong one: Try http://download.samba.org/ftp/unpacked/lorikeet/mod_ntlm_winbind/ > but i dunno what the status is for this module ? > just looking for a good and nice way to get our intranet up and > authenticate it agains A Samba pdb/bdc This will handle the NTLM side of the problem, for compatible browsers. It is an apache 1.3 module, as I need a volunteer to make a port to Apache 2.0. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc.http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] mod_ntlm_winbind
On Sat, 2004-04-24 at 23:22, Samba wrote: > Thank you for your help, I was hoping to find a different one from that. I > was having a problem with mod_ntlm and was hoping ntlm_auth was a different > mod altogether. My bad The problem, as I understand it, is that a new apache2 module for NTLMSSP, using ntlm_auth as the authentication provider, has been written, but that Apache2 is missing the required connection context to handle the task properly. Without the correct connection context, it is not possible to ensure we authenticate the correct connection, get the right challenge to line up with the right response etc. However, if somebody wants to update the Apache 1.3 'mod_ntlm_winbind' to use ntlm_auth, I'll happily put that into our CVS. (mod_ntlm_winbind was a copy of the mod_ntlm from sf.net a while back, hacked to talk to winbindd, and is in samba.org CVS). Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] mod_ntlm_winbind
Thank you for your help, I was hoping to find a different one from that. I was having a problem with mod_ntlm and was hoping ntlm_auth was a different mod altogether. My bad Thanks, Josh -Original Message- From: Matthias Spork [mailto:[EMAIL PROTECTED] Sent: Saturday, April 24, 2004 2:55 AM To: Samba Cc: [EMAIL PROTECTED] Subject: Re: [Samba] mod_ntlm_winbind Samba schrieb: >I searched for ntml_auth apache and ntlm_auth apache and I just can't find >where to download it from. > Please look at the first hit: http://www.google.de/search?hl=de&ie=UTF-8&oe=UTF-8&q=mod_ntlm+apache&btnG=S uche Download: http://sourceforge.net/project/showfiles.php?group_id=4906 matze This message and accompanying documents are covered by the Electronic Communications Privacy Act, 18 U.S.C. §§ 2510-2521, and contains information intended for the specified individual(s) only. This information is confidential. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, copying, or the taking of any action based on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind
Samba schrieb: I searched for ntml_auth apache and ntlm_auth apache and I just can't find where to download it from. Please look at the first hit: http://www.google.de/search?hl=de&ie=UTF-8&oe=UTF-8&q=mod_ntlm+apache&btnG=Suche Download: http://sourceforge.net/project/showfiles.php?group_id=4906 matze -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind
Samba schrieb: Is there a mod_ntlm_winbind for apache or is that just for squid? I want to use NTLM authentication for our intranet apache server. Yep. Please search at google for "ntml_auth apache". matze -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] mod_ntlm_winbind
I searched for ntml_auth apache and ntlm_auth apache and I just can't find where to download it from. I see in the Makefile.in for Samba 3.0.2a source that I can do a make on it and a binary file is created, but I don't know what to do with it. How do I incorporate it into apache. I know this is leading away from Samba but any help is appreciated !! -Original Message- From: Matthias Spork [mailto:[EMAIL PROTECTED] Sent: Friday, April 23, 2004 11:35 AM To: Samba Cc: [EMAIL PROTECTED] Subject: Re: [Samba] mod_ntlm_winbind Samba schrieb: >Is there a mod_ntlm_winbind for apache or is that just for squid? I want to >use NTLM authentication for our intranet apache server. > > Yep. Please search at google for "ntml_auth apache". matze This message and accompanying documents are covered by the Electronic Communications Privacy Act, 18 U.S.C. §§ 2510-2521, and contains information intended for the specified individual(s) only. This information is confidential. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, copying, or the taking of any action based on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba