Bug 440446 - NTLM authentication with mod_auth_ntlm_winbind doesn't work
NTLM authentication with mod_auth_ntlm_winbind doesn't work
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: mod_auth_ntlm_winbind (Show other bugs)
8
i386 Linux
low Severity low
: ---
: ---
Assigned To: Dmitry Butskoy
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-03 12:07 EDT by Leonid Zeitlin
Modified: 2008-04-04 12:21 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-04 12:21:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Leonid Zeitlin 2008-04-03 12:07:12 EDT
Description of problem:
I am having problems getting mod_auth_ntlm_winbind to work. I have a Fedora 7 
box, with Samba (including Winbind) and Apache set up. Note that I have NTLM 
authentication working in Squid, which suggests that Samba is configured 
properly. I have set up mod_auth_ntlm_winbind with standard configuration 
directives: 
 
<Directory "/var/www/html/ntlm"> 
AuthName "NTLM Authentication thingy" 
NTLMAuth on 
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" 
NTLMBasicAuthoritative on 
AuthType NTLM 
require valid-user 
</Directory> 
 
Now, whenever I try to access a protected page from Internet Explorer, the 
browser immediately shows the "This page cannot be displayed" error page. 
Apache log has the following: 
 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(1042): [client 
192.168.1.81] doing ntlm auth dance 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(483): [client 
192.168.1.81] Launched ntlm_helper, pid 23135 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(653): [client 
192.168.1.81] creating auth user 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(704): [client 
192.168.1.81] parsing reply from helper to YR 
TlRMTVNTUAABAAAAB7IIogYABgAtAAAABQAFACgAAAAFASgKAAAAD0FMRVBIQ1NfTFRE\n 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(742): [client 
192.168.1.81] got response: TT 
TlRMTVNTUAACAAAADAAMADAAAAAFgomiSWRrq1xZYHUAAAAAAAAAAHIAcgA8AAAAQwBTAF8ATABUAEQA
AgAMAEMAUwBfAEwAVABEAAEAEABSAEEASQBOAEIATwBXADIABAAYAGMAcwBsAHQAZAAuAGMAbwBtAC4A
dQBhAAMAKgByAGEAaQBuAGIAbwB3ADIALgBjAHMAbAB0AGQALgBjAG8AbQAuAHUAYQAAAAAA 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(412): [client 
192.168.1.81] sending back 
TlRMTVNTUAACAAAADAAMADAAAAAFgomiSWRrq1xZYHUAAAAAAAAAAHIAcgA8AAAAQwBTAF8ATABUAEQA
AgAMAEMAUwBfAEwAVABEAAEAEABSAEEASQBOAEIATwBXADIABAAYAGMAcwBsAHQAZAAuAGMAbwBtAC4A
dQBhAAMAKgByAGEAaQBuAGIAbwB3ADIALgBjAHMAbAB0AGQALgBjAG8AbQAuAHUAYQAAAAAA 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(1042): [client 
192.168.1.81] doing ntlm auth dance 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(483): [client 
192.168.1.81] Launched ntlm_helper, pid 23136 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(653): [client 
192.168.1.81] creating auth user 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(704): [client 
192.168.1.81] parsing reply from helper to YR 
TlRMTVNTUAABAAAAB7IIogYABgAtAAAABQAFACgAAAAFASgKAAAAD0FMRVBIQ1NfTFRE\n 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(742): [client 
192.168.1.81] got response: TT 
TlRMTVNTUAACAAAADAAMADAAAAAFgomi+UqzMLRhfgoAAAAAAAAAAHIAcgA8AAAAQwBTAF8ATABUAEQA
AgAMAEMAUwBfAEwAVABEAAEAEABSAEEASQBOAEIATwBXADIABAAYAGMAcwBsAHQAZAAuAGMAbwBtAC4A
dQBhAAMAKgByAGEAaQBuAGIAbwB3ADIALgBjAHMAbAB0AGQALgBjAG8AbQAuAHUAYQAAAAAA 
[Wed Apr 02 12:58:27 2008] [debug] mod_auth_ntlm_winbind.c(412): [client 
192.168.1.81] sending back 
TlRMTVNTUAACAAAADAAMADAAAAAFgomi+UqzMLRhfgoAAAAAAAAAAHIAcgA8AAAAQwBTAF8ATABUAEQA
AgAMAEMAUwBfAEwAVABEAAEAEABSAEEASQBOAEIATwBXADIABAAYAGMAcwBsAHQAZAAuAGMAbwBtAC4A
dQBhAAMAKgByAGEAaQBuAGIAbwB3ADIALgBjAHMAbAB0AGQALgBjAG8AbQAuAHUAYQAAAAAA 
 


Version-Release number of selected component (if applicable):
mod_auth_ntlm_winbind-0.0.0-0.5.20071128svn794.fc7
httpd-2.2.8-1.fc7
samba-3.0.28-0.fc7

How reproducible:
Always

Steps to Reproduce:
1. Install mod_auth_ntlm_winbind
2. Configure it using sample configuration from the README file
3. Try to access a protected page in Internet Explorer
  
Actual results:
Browser displays "This page cannot be displayed" error page.

Expected results:
The user is authenticated transparently and the protected page is shown.

Additional info:
Comment 1 Leonid Zeitlin 2008-04-04 07:16:01 EDT
I figured it out. NTLM authentication doesn't work if keep-alive is disabled in 
Apache. Unfortunately, Fedora default httpd.conf has "KeepAlive off". Setting 
it to "on" resolves the problem. It would be nice if the 
mod_auth_ntlm_winbind's docs mentioned this, or even if some warning was issued 
when installing the module.
Comment 2 Dmitry Butskoy 2008-04-04 12:21:36 EDT
Add comment to the config file.

Note You need to log in before you can comment on or make changes to this bug.