Bug 440446

Summary: NTLM authentication with mod_auth_ntlm_winbind doesn't work
Product: [Fedora] Fedora Reporter: Leonid Zeitlin <lz>
Component: mod_auth_ntlm_winbindAssignee: Dmitry Butskoy <dmitry>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 8   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-04 16:21:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Leonid Zeitlin 2008-04-03 16:07:12 UTC 
Description of problem:
I am having problems getting mod_auth_ntlm_winbind to work. I have a Fedora 7 
box, with Samba (including Winbind) and Apache set up. Note that I have NTLM 
authentication working in Squid, which suggests that Samba is configured 
properly. I have set up mod_auth_ntlm_winbind with standard configuration 
directives: 
 
<Directory "/var/www/html/ntlm"> 
AuthName "NTLM Authentication thingy" 
NTLMAuth on 
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" 
NTLMBasicAuthoritative on 
AuthType NTLM 
require valid-user 
</Directory> 
 
Now, whenever I try to access a protected page from Internet Explorer, the 
browser immediately shows the "This page cannot be displayed" error page. 
Apache log has the following: 
 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(1042): [client 
192.168.1.81] doing ntlm auth dance 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(483): [client 
192.168.1.81] Launched ntlm_helper, pid 23135 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(653): [client 
192.168.1.81] creating auth user 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(704): [client 
192.168.1.81] parsing reply from helper to YR 
TlRMTVNTUAABAAAAB7IIogYABgAtAAAABQAFACgAAAAFASgKAAAAD0FMRVBIQ1NfTFRE\n 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(742): [client 
192.168.1.81] got response: TT 
TlRMTVNTUAACAAAADAAMADAAAAAFgomiSWRrq1xZYHUAAAAAAAAAAHIAcgA8AAAAQwBTAF8ATABUAEQA
AgAMAEMAUwBfAEwAVABEAAEAEABSAEEASQBOAEIATwBXADIABAAYAGMAcwBsAHQAZAAuAGMAbwBtAC4A
dQBhAAMAKgByAGEAaQBuAGIAbwB3ADIALgBjAHMAbAB0AGQALgBjAG8AbQAuAHUAYQAAAAAA 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(412): [client 
192.168.1.81] sending back 
TlRMTVNTUAACAAAADAAMADAAAAAFgomiSWRrq1xZYHUAAAAAAAAAAHIAcgA8AAAAQwBTAF8ATABUAEQA
AgAMAEMAUwBfAEwAVABEAAEAEABSAEEASQBOAEIATwBXADIABAAYAGMAcwBsAHQAZAAuAGMAbwBtAC4A
dQBhAAMAKgByAGEAaQBuAGIAbwB3ADIALgBjAHMAbAB0AGQALgBjAG8AbQAuAHUAYQAAAAAA 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(1042): [client 
192.168.1.81] doing ntlm auth dance 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(483): [client 
192.168.1.81] Launched ntlm_helper, pid 23136 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(653): [client 
192.168.1.81] creating auth user 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(704): [client 
192.168.1.81] parsing reply from helper to YR 
TlRMTVNTUAABAAAAB7IIogYABgAtAAAABQAFACgAAAAFASgKAAAAD0FMRVBIQ1NfTFRE\n 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(742): [client 
192.168.1.81] got response: TT 
TlRMTVNTUAACAAAADAAMADAAAAAFgomi+UqzMLRhfgoAAAAAAAAAAHIAcgA8AAAAQwBTAF8ATABUAEQA
AgAMAEMAUwBfAEwAVABEAAEAEABSAEEASQBOAEIATwBXADIABAAYAGMAcwBsAHQAZAAuAGMAbwBtAC4A
dQBhAAMAKgByAGEAaQBuAGIAbwB3ADIALgBjAHMAbAB0AGQALgBjAG8AbQAuAHUAYQAAAAAA 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(412): [client 
192.168.1.81] sending back 
TlRMTVNTUAACAAAADAAMADAAAAAFgomi+UqzMLRhfgoAAAAAAAAAAHIAcgA8AAAAQwBTAF8ATABUAEQA
AgAMAEMAUwBfAEwAVABEAAEAEABSAEEASQBOAEIATwBXADIABAAYAGMAcwBsAHQAZAAuAGMAbwBtAC4A
dQBhAAMAKgByAGEAaQBuAGIAbwB3ADIALgBjAHMAbAB0AGQALgBjAG8AbQAuAHUAYQAAAAAA 
 


Version-Release number of selected component (if applicable):
mod_auth_ntlm_winbind-0.0.0-0.5.20071128svn794.fc7
httpd-2.2.8-1.fc7
samba-3.0.28-0.fc7

How reproducible:
Always

Steps to Reproduce:
1. Install mod_auth_ntlm_winbind
2. Configure it using sample configuration from the README file
3. Try to access a protected page in Internet Explorer
  
Actual results:
Browser displays "This page cannot be displayed" error page.

Expected results:
The user is authenticated transparently and the protected page is shown.

Additional info:
Comment 1 Leonid Zeitlin 2008-04-04 11:16:01 UTC 
I figured it out. NTLM authentication doesn't work if keep-alive is disabled in 
Apache. Unfortunately, Fedora default httpd.conf has "KeepAlive off". Setting 
it to "on" resolves the problem. It would be nice if the 
mod_auth_ntlm_winbind's docs mentioned this, or even if some warning was issued 
when installing the module.
Comment 2 Dmitry Butskoy 2008-04-04 16:21:36 UTC 
Add comment to the config file.