[Samba] Combining mod_auth_winbind with other authorization modules

Prev: [Samba] Windows client does not recognize password change...
Next: Problem adding printer drivers

From: Dave on 10 Oct 2006 06:40

---

I'm trying to use the mod_auth_winbind module from lorikeet SVN to
control access to an Apache 2.2.3 server. Samba is 3.0.23b supplied with
Mandriva 2007 and is configured is a member of a w2k3 AD domain. The
Apache users are using IE on W2k or XP domain member clients.

Samba and winbind are working as expected, and if I just use the
mod_auth_winbind module to authenticate the users Apache seems to be OK.
However I also need to use an authorization module to control access to
user groups via the '.htaccess' files. I've tried both
mod_authz_groupfile and mod_authz_dbm; in each case authentication
occasionally falls apart as the following (redacted) Apache error log
segment shows:

mod_ntlm_winbind.c(1065): doing ntlm auth dance, referer:
http://myserver/homepage/left.html
mod_ntlm_winbind.c(529): Launched ntlm_helper, pid 28125, referer:
http://myserver/homepage/left.html
mod_ntlm_winbind.c(699): creating auth user, referer:
http://myserver/homepage/left.html
mod_ntlm_winbind.c(750): parsing reply from helper to YR Tl...ND\n,
referer: http://myserver/homepage/left.html
mod_ntlm_winbind.c(788): got response: TT Tl...AA, referer:
http://myserver/homepage/left.html
mod_ntlm_winbind.c(455): sending back Tl...AA, referer:
http://myserver/homepage/left.html
mod_ntlm_winbind.c(472): Decrement the connection request count to
keep it alive, referer: http://myserver/homepage/left.html
mod_ntlm_winbind.c(1065): doing ntlm auth dance, referer:
http://myserver/homepage/left.html
mod_ntlm_winbind.c(531): Using existing auth helper 28125, referer:
http://myserver/homepage/left.html
mod_ntlm_winbind.c(750): parsing reply from helper to KK Tl...ND\n,
referer: http://myserver/homepage/left.html
libsmb/ntlmssp.c:ntlmssp_update(252) got NTLMSSP command 1, expected 3
mod_ntlm_winbind.c(788): got response: NA NT_STATUS_INVALID_PARAMETER,
referer: http://myserver/homepage/left.html
mod_ntlm_winbind.c(812): user not authenticated:
NT_STATUS_INVALID_PARAMETER, referer: http://myserver/homepage/left.html
mod_ntlm_winbind.c(1019): reauth, referer:
http://myserver/homepage/left.html
mod_ntlm_winbind.c(1065): doing ntlm auth dance, referer:
http://myserver/homepage/left.html
mod_ntlm_winbind.c(529): Launched ntlm_helper, pid 28126, referer:
http://myserver/homepage/left.html
mod_ntlm_winbind.c(699): creating auth user, referer:
http://myserver/homepage/left.html
mod_ntlm_winbind.c(750): parsing reply from helper to YR Tl...9=\n,
referer: http://myserver/homepage/left.html
libsmb/ntlmssp.c:ntlmssp_update(252) got NTLMSSP command 3, expected 1
mod_ntlm_winbind.c(788): got response: NA NT_STATUS_INVALID_PARAMETER,
referer: http://myserver/homepage/left.html
mod_ntlm_winbind.c(812): user not authenticated:
NT_STATUS_INVALID_PARAMETER, referer: http://myserver/homepage/left.html
mod_ntlm_winbind.c(1065): doing ntlm auth dance, referer:
http://myserver/homepage/left.html
mod_ntlm_winbind.c(531): Using existing auth helper 28126, referer:
http://myserver/homepage/left.html
mod_ntlm_winbind.c(750): parsing reply from helper to KK Tl...9=\n,
referer: http://myserver/homepage/left.html
libsmb/ntlmssp.c:ntlmssp_update(252) got NTLMSSP command 3, expected 1
mod_ntlm_winbind.c(788): got response: NA NT_STATUS_INVALID_PARAMETER,
referer: http://myserver/homepage/left.html
mod_ntlm_winbind.c(812): user not authenticated:
NT_STATUS_INVALID_PARAMETER, referer: http://myserver/homepage/left.html
[notice] child pid 28108 exit signal Segmentation fault (11)

It seems that the browser opens two sessions with the server and the
auth mechanism gets mixed up between the two. The browser displays a
mixture of HTTP headers and the usual Apache 401 message.

Does mod_auth_winbind have any known problems combining in this way?
--
Dave

The information contained in this message (and any attachments) may
be confidential and is intended for the sole use of the named addressee.
Access, copying, alteration or re-use of the e-mail by anyone other
than the intended recipient is unauthorised. If you are not the intended
recipient please advise the sender immediately by returning the e-mail
and deleting it from your system.

This information may be exempt from disclosure under Freedom Of Information
Act 2000 and may be subject to exemption under other UK information
legislation. Refer disclosure requests to the Information Officer.


The original of this email was scanned for viruses by Government Secure Intranet (GSi) virus scanning service supplied exclusively by Cable & Wireless in partnership with MessageLabs.
On leaving the GSI this email was certified virus free.
The MessageLabs Anti Virus Service is the first managed service to achieve the CSIA Claims Tested Mark (CCTM Certificate Number 2006/04/0007), the UK Government quality mark initiative for information security products and services. For more information about this please visit www.cctmark.gov.uk
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

 | 
Pages: 1
Prev: [Samba] Windows client does not recognize password change...
Next: Problem adding printer drivers