Re: [Samba] mod_ntlm_winbind on Apache vs. IE6, no POST method
On Mon, 2005-10-10 at 11:42 +0200, Collen Blijenberg wrote: > Is the mod_ntlm_winbind already apache 2.XX ready ?? > or is it still written for the 1.3.XX version ? A team assembled to build an apache 2.0 version, but it's been ported yet. The closest we have is: http://source.grep.no/ however there are issues with that module. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc.http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind on Apache vs. IE6, no POST method
Is the mod_ntlm_winbind already apache 2.XX ready ?? or is it still written for the 1.3.XX version ? Collen Andrew Bartlett wrote: On Mon, 2005-10-03 at 14:34 -0600, Todd Garrison wrote: Hello, I have setup mod_ntlm_winbind Firstly, I presume this is the version from lorikeet SVN? to provide authentication for an Apache 1.3.33 webserver running on Fedora Core 3. The authentication works, but I have run into a problem when using Internet Explorer. It seems that the problem might be with Internet Explorer itself, but here is what I think is happening - the browser will not submit any forms with a POST method on a website protected with NTLM Auth. Everything seems to work fine when using Firefox/Mozilla, but IE6 has a problem. Attached is the text extracted from a packet capture using both browsers: You can see that IE6 sends content-length: 0 and includes the NTLM hash again, whereas Firefox does not. Is this a bug in mod_ntlm_winbind, IE6, or just a configuration error? It looks like MSIE is avoiding resubmitting the POST twice for the multiple round trips of the NTLM exchange. Firefox is probably still sitting on an existing connection. So, I think the issue might be that apache is not handling the NTLM authentication request to the module, but we would need to see more server-side logs and a real (uncensored, unfortunately) packet capture. A small group of developers trying to take mod_ntlm_winbind further are gathering, I think we need to setup a public webpage and some contact details... Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind on Apache vs. IE6, no POST method
Thanks Ed, It might be related - but the problems happen on both SSL and non-SSL connections. I do get the feeling that there have been a bunch of similar bugs (features?) in IE6. I guess since it only happens when using NTLM auth it really can't be called a bug since there is no actual protocol specification. Todd Garrison > Apparently there's a bug in IE6 that occurs only with POST requests over > HTTPS when using keep-alive which is required for NTLM authentication. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind on Apache vs. IE6, no POST method
On Mon, Oct 03, 2005 at 02:34:22PM -0600, Todd Garrison wrote: > I have setup mod_ntlm_winbind to provide authentication for an Apache > 1.3.33 webserver running on Fedora Core 3. The authentication works, > but I have run into a problem when using Internet Explorer. > > It seems that the problem might be with Internet Explorer itself, but > here is what I think is happening - the browser will not submit any > forms with a POST method on a website protected with NTLM Auth. > > Everything seems to work fine when using Firefox/Mozilla, but IE6 has > a problem. Attached is the text extracted from a packet capture using > both browsers: > You can see that IE6 sends content-length: 0 and includes the NTLM > hash again, whereas Firefox does not. > > Is this a bug in mod_ntlm_winbind, IE6, or just a configuration error? You never specified if you were using HTTP or HTTPS, but if you're using doing this over HTTPS you may find this link helpful: http://telanis.cns.ualberta.ca/index.txt Apparently there's a bug in IE6 that occurs only with POST requests over HTTPS when using keep-alive which is required for NTLM authentication. Ed Plese -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind on Apache vs. IE6, no POST method
Ha! Nevermind, that messes other things up . . . at least I tried. On 10/5/05, Todd Garrison <[EMAIL PROTECTED]> wrote: > Hi Andrew, > > The patch you commited to SVN seems to be working, but I ran into > another problem when dealing with 302 redirects, similar circumstance. > I played with the code a little and found something that seems to > work, but I probably just opened a gaping security hole? Here is a > diff from SVN . . . > > Todd Garrison > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind on Apache vs. IE6, no POST method
Hi Andrew, The patch you commited to SVN seems to be working, but I ran into another problem when dealing with 302 redirects, similar circumstance. I played with the code a little and found something that seems to work, but I probably just opened a gaping security hole? Here is a diff from SVN . . . Todd Garrison -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind on Apache vs. IE6, no POST method
On Mon, 2005-10-03 at 15:34 -0600, Todd Garrison wrote: > > Firstly, I presume this is the version from lorikeet SVN? > > Correct. > > > So, I think the issue might be that apache is not handling the NTLM > > authentication request to the module, but we would need to see more > > server-side logs and a real (uncensored, unfortunately) packet capture. > > I could get you a pcap file, okay if I send it to you directly, off-list? Sure. -- Andrew Bartletthttp://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc.http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind on Apache vs. IE6, no POST method
> Firstly, I presume this is the version from lorikeet SVN? Correct. > So, I think the issue might be that apache is not handling the NTLM > authentication request to the module, but we would need to see more > server-side logs and a real (uncensored, unfortunately) packet capture. I could get you a pcap file, okay if I send it to you directly, off-list? Thanks! Todd -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mod_ntlm_winbind on Apache vs. IE6, no POST method
On Mon, 2005-10-03 at 14:34 -0600, Todd Garrison wrote: > Hello, > > I have setup mod_ntlm_winbind Firstly, I presume this is the version from lorikeet SVN? > to provide authentication for an Apache > 1.3.33 webserver running on Fedora Core 3. The authentication works, > but I have run into a problem when using Internet Explorer. > > It seems that the problem might be with Internet Explorer itself, but > here is what I think is happening - the browser will not submit any > forms with a POST method on a website protected with NTLM Auth. > > Everything seems to work fine when using Firefox/Mozilla, but IE6 has > a problem. Attached is the text extracted from a packet capture using > both browsers: > You can see that IE6 sends content-length: 0 and includes the NTLM > hash again, whereas Firefox does not. > > Is this a bug in mod_ntlm_winbind, IE6, or just a configuration error? It looks like MSIE is avoiding resubmitting the POST twice for the multiple round trips of the NTLM exchange. Firefox is probably still sitting on an existing connection. So, I think the issue might be that apache is not handling the NTLM authentication request to the module, but we would need to see more server-side logs and a real (uncensored, unfortunately) packet capture. A small group of developers trying to take mod_ntlm_winbind further are gathering, I think we need to setup a public webpage and some contact details... Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc.http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba