Bug 188138
| Summary: | Review Request: mod_auth_ntlm_winbind - NTLM authentication for the Apache web server using winbind daemon | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dmitry Butskoy <dmitry> |
| Component: | Package Review | Assignee: | Jason Tibbitts <j> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Package Reviews List <fedora-package-review> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | peter.de.groot, rdieter, samba-bugs-list |
| Target Milestone: | --- | Flags: | j:
fedora-review+
gwync: fedora-cvs+ |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-06-22 14:10:58 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 198251 | ||
| Bug Blocks: | |||
|
Description
Dmitry Butskoy
2006-04-06 12:03:31 UTC
Typo, Spec: http://dmitry.butskoy.name/mod_ntlm_winbind/mod_ntlm_winbind.spec SRPM: http://dmitry.butskoy.name/mod_ntlm_winbind/mod_ntlm_winbind-20060328-1.src.rpm - According to upstream, rename to "mod_auth_ntlm_winbind" - Update to the latest svn source - Add (temporary) coredumps patch by upstream co-author (will be in SVN soon too). New SPEC: http://dmitry.butskoy.name/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind.spec New SRPM: http://dmitry.butskoy.name/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind-20060408-1.src.rpm OK, the patch applied upstream. Update to the latest SVN source. Note: this version works fine (at least for me :)) New SPEC: http://dmitry.butskoy.name/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind.spec New SRPM: http://dmitry.butskoy.name/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind-20060418-1.src.rpm Upgrade to the latest SVN (Negotiate/krb5 should work now too). New SPEC: http://dmitry.butskoy.name/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind.spec New SRPM: http://dmitry.butskoy.name/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind-20060423-1.src.rpm Upgrade to the latest SVN (compatibility with Apache 2.2) New SPEC: http://dmitry.butskoy.name/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind.spec New SRPM: http://dmitry.butskoy.name/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind-20060510-1.src.rpm Add patch to fix IE6 "CONNECT HTTP/1.0" issue. Do "chgrp apache /var/cache/samba/winbindd_privileged/" on install, or trigger "usermod -a -G squid apache" when squid already installed (i.e. this dir has group "squid"). New SPEC: http://dmitry.butskoy.name/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind.spec New SRPM: http://dmitry.butskoy.name/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind-20060510-2.src.rpm A few initial comments (and given enough time later this week, I'll hopefully be able to pull off a full review): 1. Drop Epoch: 0 it's not necessary, nor desired. 2. Yuck, %post, %triggerin squid Changing dir ownership in a scriplet is bad, especially, since the target is owned by another package (samba-common). I can see where you're coming from here, but in the end, it's just an unacceptable hack. Arg, on checking, it appears squid does that same thing! A better solution would be to ask/bug the samba maintainer to make /var/cache/samba/winbindd_privileged group writable (owned by some group, say, samba). Then apache and squid could simply add themselves to this group on install. (I'll go file a bug/enhancement-request for that now...) > Drop Epoch: 0 OK > A better solution would be to ask/bug the samba maintainer to > make /var/cache/samba/winbindd_privileged group writable Actually "group accessable", write permissions is not needed here! ;) I would prefer to not wait for samba changes, as it can leads to some time delay... Maybe save these ugly things "as is", at least for a while? Note, that this permission problem can confuse the "end-user" here a lot. IMO it is better to do these group manipulations rather than do nothing... > I would prefer to not wait for samba changes, as it can leads to some time
> delay... Maybe save these ugly things "as is", at least for a while?
If by "for a while" you mean before package is approved, yes. (: Seriously,
imo, this is a blocker that MUST be fixed before acceptance into Extras.
Maybe don't touch /var/cache/samba/winbindd_privileged at all now, and implement "usermod -a -G ..." just when samba/squid will implement the requested changes? I would prefer to not wait for FC6 for this...
Sorry ... Newb problem ...
I downloaded the src rpm from above and did a
rpmbuild and rpm -i to install.... it appeared to compile
via apsx and install ok. and the files are in the right place.
I have a working samba, and squid ntlm auth works. I
have added apache to the squid group.
However this it does not seem to work for me.. Both with IE
This is a bit distressing ... as I have had it working on another
distro
sum of my apache module ...
sum mod_auth_ntlm_winbind.so
15693 16
Does this match yours ? Did I build the rpm correctly ... I assumed the spec
file was in the source rpm ...newb question this :-) I did a rpmbuild --rebuild
I am using FC 5 Apache 2.2.2 samba version 3.0.23a-1.fc5.1
drwxr-x--- 2 root squid 4096 Aug 8 14:10 winbindd_privileged
Thanks ... log dump from apache follows
Peter
[Wed Aug 09 12:40:09 2006] [debug] mod_ntlm_winbind.c(1088): [client
10.251.20.195] doing ntlm auth dance
[Wed Aug 09 12:40:09 2006] [debug] mod_ntlm_winbind.c(529): [client
10.251.20.195] Launched ntlm_helper, pid 29040
[Wed Aug 09 12:40:09 2006] [debug] mod_ntlm_winbind.c(699): [client
10.251.20.195] creating auth user
[Wed Aug 09 12:40:09 2006] [debug] mod_ntlm_winbind.c(750): [client
10.251.20.195] parsing reply from helper to YR TlR
MTVNTUAABAAAAB7IIogoACgAyAAAACgAKACgAAAAFASgKAAAAD0M3MTItUEVURVJDVVJSSUM0MTgy\n
[2006/08/09 12:40:09, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa208b207
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_NEGOTIATE_OEM
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED
NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_56
[Wed Aug 09 12:40:09 2006] [debug] mod_ntlm_winbind.c(788): [client
10.251.20.195] got response: TT TlRMTVNTUAACAAAAFA
AUADAAAAAFgomiMfpcnS8gMLUAAAAAAAAAAKoAqgBEAAAAQwBVAFIAUgBJAEMANAAxADgAMgACABQAQwBVAFIAUgBJAEMANAAxADgAMgABABoAQwBVAFIA
UgBJAEMANAAxADgAMgAtADAANQAEACYAYwB1AHIAcgBpAGMANAAxADgAMgAuAGkAbgB0AGUAcgBuAGEAbAADAEIAYwB1AHIAcgBpAGMANAAxADgAMgAtAD
AANQAuAGMAdQByAHIAaQBjADQAMQA4ADIALgBpAG4AdABlAHIAbgBhAGwAAAAAAA==
[Wed Aug 09 12:40:09 2006] [debug] mod_ntlm_winbind.c(455): [client
10.251.20.195] sending back TlRMTVNTUAACAAAAFAAUAD
AAAAAFgomiMfpcnS8gMLUAAAAAAAAAAKoAqgBEAAAAQwBVAFIAUgBJAEMANAAxADgAMgACABQAQwBVAFIAUgBJAEMANAAxADgAMgABABoAQwBVAFIAUgBJ
AEMANAAxADgAMgAtADAANQAEACYAYwB1AHIAcgBpAGMANAAxADgAMgAuAGkAbgB0AGUAcgBuAGEAbAADAEIAYwB1AHIAcgBpAGMANAAxADgAMgAtADAANQ
AuAGMAdQByAHIAaQBjADQAMQA4ADIALgBpAG4AdABlAHIAbgBhAGwAAAAAAA==
The log shows that the module itself works, ntlm_auth helper was invoked and
successfully connected to winbindd...
Some ideas:
- Does your IE ask for login/password? If so, did you use "DOMAIN\user" or just
"user" for login?
- What is your "KeepAlive" parameter in /etc/httpd/conf/httpd.conf?
Anyway, try "KeepAlive on" and "MaxKeepAliveRequests 100" or another big
enough value -- but NOT zero ("0") value.
It these "two ideas" help nothing, send me (for my e-mail) your httpd.conf and
/etc/httpd/conf.d/ntlm_winbind.conf ...
"It these" => "If these" :) Bingo ..... Keepalive was set to OFF Enabled it and it works great... many thanks... BTW.. I did not change this parameter on my server....is it set to off by default ?? Perhaps something to check on install ??? Thanks again Peter > is it set to off by default?
Yep. Atleast under Fedora. Don't know why.
The upstream have changed to the name of "auth_ntlm_winbind" completely, introduced VERSION file and have done some fixes. I've changed version-release scheme to VERSION-0.svnrev.X because of this. New SPEC: http://dmitry.butskoy.name/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind.spec New SRPM: http://dmitry.butskoy.name/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind-0.0.0-0.svn692.1.src.rpm - updates to svn release 713 - Winbind's special group is named "wbpriv" now New SPEC: http://dmitry.butskoy.name/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind.spec New SRPM: http://dmitry.butskoy.name/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind-0.0.0-0.svn713.1.src.rpm FYI, the naming guidelines specify a name of
0-0.1.{date}svn{svnrelease}%{dist}
The date should be in the form 20070605. Then just increment the '1' for each
update you do. (Actually the guidelines don't specify the appending of the
svnrelease, but it's been permitted elsewhere in the past.)
The important thing is that the date needs to be there.
OK, add the date into release field. New SPEC: http://dmitry.butskoy.name/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind.spec New SRPM: http://dmitry.butskoy.name/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind-0.0.0-0.1.20070129svn713.src.rpm ping Rex ?... :) This is an old one, and its really a very simple package. Let me take a look....
The URL: seems to be invalid.
rpmlint says:
W: mod_auth_ntlm_winbind mixed-use-of-spaces-and-tabs (spaces: line 13, tab:
line 1)
No big deal; fix it if you like.
W: mod_auth_ntlm_winbind-debuginfo filename-too-long-for-joliet
mod_auth_ntlm_winbind-debuginfo-0.0.0-0.1.20070129svn713.fc8.x86_64.rpm
I'm not sure there's anything you can do about this, nor do I know if this
actually causes any problems.
It's actually more useful to do "svn export" instead of "svn co" to get an
updated source tree, because it doesn't give you a bunch of useless .svn
directories.
You need a Requires(post): /usr/sbin/usermod (or shadow-utils). Frankly I'm not
sure if rpm will guarantee that apache is installed before this package so that
the %post scriptlet will actually run, and I think that should be confirmed with
an expert first. I don't have any particular issue with this package changing
the apache users' group list, however.
Review:
* source files match upstream.
I did an svn export and diffed the directories manually.
* package meets naming and versioning guidelines. (The upstream version really
is 0.0.0.)
* specfile is properly named, is cleanly written and uses macros consistently.
* summary is OK.
* description is OK.
* dist tag is present.
* build root is OK.
* license field matches the actual license.
* license is open source-compatible.
* license text not included upstream.
* latest version is being packaged (The SVN ID of the upstream repository is 754
as I do this review, but none of the files in this package have been chaned as
far as I can tell.)
* BuildRequires are proper.
* compiler flags are appropriate.
* %clean is present.
* package builds in mock (development, x86_64).
* package installs properly
* debuginfo package looks complete.
* rpmlint has only acceptable complaints.
* final provides and requires are sane:
config(mod_auth_ntlm_winbind) = 0.0.0-0.1.20070129svn713.fc8
mod_auth_ntlm_winbind.so()(64bit)
mod_auth_ntlm_winbind = 0.0.0-0.1.20070129svn713.fc8
=
/bin/sh
config(mod_auth_ntlm_winbind) = 0.0.0-0.1.20070129svn713.fc8
httpd >= 2.0.40
httpd-mmn = 20051115
samba-common
* %check is not present; no test suite upstream. I have no means to test this
package.
* no shared libraries are added to the regular linker search paths.
* owns the directories it creates.
* doesn't own any directories it shouldn't.
* no duplicates in %files.
* file permissions are appropriate.
* no scriptlets present.
* code, not content.
* documentation is small, so no -docs subpackage is necessary.
* %docs are not necessary for the proper functioning of the package.
* no headers.
* no pkgconfig files.
* no static libraries.
* no libtool .la files.
> The URL: seems to be invalid. Yep, fixed. > mixed-use-of-spaces-and-tabs Prefer a more clean text in files rather then such a kind of pedantic :) > filename-too-long-for-joliet Never see it... Assume it will not actually affect debuginfo sub-package in the final repository. > "svn export" instead of "svn co" Done, thanks. > You need a Requires(post): /usr/sbin/usermod (or shadow-utils). Add "Rrequires(post): shadow-utils" > not sure if rpm will guarantee that apache is installed before this package Seems that just "requires" of httpd (and samba-common for "wbpriv" group) is enough. Both rpm and yum first install all the "Requires", and then mod_auth_ntlm_winbind. Just checked it out now one more time. > SVN ID of the upstream repository is 754 I use the SVN ID and the date of the latest change of this module, this way seems to be more clean. New SPEC: http://dmitry.butskoy.name/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind.spec New SRPM: http://dmitry.butskoy.name/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind-0.0.0-0.2.20070129svn713.src.rpm Looks good to me. APPROVED New Package CVS Request ======================= Package Name: mod_auth_ntlm_winbind Short Description: NTLM authentication for the Apache web server using winbind daemon Owners: dmitry Branches: F7 InitialCC: cvs done. Package Change Request ====================== Package Name: mod_auth_ntlm_winbind New Branches: el6 Owners: buc Git done (by process-git-requests). |