-------- Original Message -------- Subject: NTLM Authentcation Date: Thu, 15 Jan 2004 20:14:51 +0000 From: Darryl L Miles <[EMAIL PROTECTED]> Organization: E-Smart Integrations Ltd To: [EMAIL PROTECTED]
Hi,
Sorry to trouble you but you're name has cropped up in many modperl forums I've been researching for a solution to my problem, and I also note you're listed as the author of Apache::AuthenNTLM on CPAN but not in the documentation.
I have a problem in IE6 connects to Apache, apache returns a 401. that my Win2000 machine received
smbclient is able to connect to an authenticated share on the same server from the same Linux host using the same credentials I'm trying from the browser.
I have also confirmed with TCPDUMP that a connection is being made from the Linux host to Win2000. But I suspect Win2000 is sending back a response meaning its not willing to hand out a "nonce" value to start the authentication process off.
There is nothing in the documentation that indicates I have to configure the Win2000 server in any special way to allow permissions for my Linux/Apache host to verify credentials.
The current output:
[2058] AuthenNTLM: Config Domain = office.domain.com pdc = 172.16.48.3
bdc =
[2058] AuthenNTLM: Config Domain = domain pdc = 172.16.48.3 bdc =
[2058] AuthenNTLM: Config Default Domain = office.domain.com
[2058] AuthenNTLM: Config Fallback Domain =
[2058] AuthenNTLM: Config AuthType = ntlm AuthName = /
[2058] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0
[2058] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative = on
[2058] AuthenNTLM: Config Semaphore key = 23754 timeout = 2
[2058] AuthenNTLM: Authorization Header <not given>
[Thu Jan 15 19:34:52 2004] [error] access to /login_ntlm/process/ failed for
,
reason: Bad/Missing NTLM/Basic Authorization Header for /login_ntlm/process/
[2059] AuthenNTLM: Config Domain = office.domain.com pdc = 172.16.48.3
bdc =
[2059] AuthenNTLM: Config Domain = domain pdc = 172.16.48.3 bdc =
[2059] AuthenNTLM: Config Default Domain = office.domain.com
[2059] AuthenNTLM: Config Fallback Domain =
[2059] AuthenNTLM: Config AuthType = ntlm AuthName = /
[2059] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0
[2059] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative = on
[2059] AuthenNTLM: Config Semaphore key = 23754 timeout = 2
[2059] AuthenNTLM: Authorization Header NTLM
[2059] AuthenNTLM: protocol=NTLMSSP, type=1,
flags1=7(NEGOTIATE_UNICODE,NEGOTIAT
E_OEM,REQUEST_TARGET), flags2=178(NEGOTIATE_ALWAYS_SIGN,NEGOTIATE_NTLM),
domain
length=11, domain offset=35, host length=3, host offset=32, host=SAM,
domain=DOMAIN
[2059] AuthenNTLM: Connect to pdc = 172.16.48.3 bdc = domain = domain
[2059] AuthenNTLM: enter lock
[Thu Jan 15 19:34:52 2004] [error] access to /login_ntlm/process/ failed for ,
reason: Connect to SMB Server faild (pdc = 172.16.48.3 bdc = domain =
domain error = -11/0) for /login_ntlm/process/
[2059] AuthenNTLM: leave lock
[Thu Jan 15 19:34:52 2004] [error] access to /login_ntlm/process/ failed for ,
reason: Cannot get nonce
Typo "faild"
domain error = -11/0: means nothing to me
TCPDUMP proof of Apache/Linux trying to authenticate with Win2000:
20:07:52.594266 arp who-has 172.16.48.3 tell 172.16.48.4
20:07:52.594369 arp reply 172.16.48.3 is-at 0:5:5d:6a:ac:5e
20:07:52.594382 172.16.48.4.37850 > 172.16.48.3.netbios-ssn: S 4239341864:4239341864(0) win 5840 <mss 1460,sackOK,timestamp 1300582614 0,nop,wscale 0> (DF)
20:07:52.594489 172.16.48.3.netbios-ssn > 172.16.48.4.37850: S 4062526081:4062526081(0) ack 4239341865 win 64240 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF)
20:07:52.594510 172.16.48.4.37850 > 172.16.48.3.netbios-ssn: . ack 1 win 5840 <nop,nop,timestamp 1300582614 0> (DF)
20:07:52.594606 172.16.48.4.37850 > 172.16.48.3.netbios-ssn: P 1:73(72) ack 1 win 5840 <nop,nop,timestamp 1300582614 0>NBT Packet (DF)
20:07:52.595567 172.16.48.3.netbios-ssn > 172.16.48.4.37850: FP 1:6(5) ack 73 win 64168 <nop,nop,timestamp 50219777 1300582614>NBT Packet (DF)
20:07:52.595943 172.16.48.4.32775 > 172.16.48.3.domain: 26938+ A? . (17) (DF)
20:07:52.596129 172.16.48.3.domain > 172.16.48.4.32775: 26938 ServFail 0/0/0 (17)
20:07:52.634290 172.16.48.4.37850 > 172.16.48.3.netbios-ssn: . ack 7 win 5840 <nop,nop,timestamp 1300582635 50219777> (DF)
20:07:52.664060 172.16.48.4.37850 > 172.16.48.3.netbios-ssn: F 73:73(0) ack 7 win 5840 <nop,nop,timestamp 1300582650 50219777> (DF)
20:07:52.664169 172.16.48.3.netbios-ssn > 172.16.48.4.37850: . ack 74 win 64168 <nop,nop,timestamp 50219777 1300582650> (DF)
I also note that Apache tries to do a DNS lookup for "." and that fails.
My .htaccess file:
PerlAuthenHandler Apache::AuthenNTLM AuthType ntlm #,basic AuthName "/" require valid-user
# domain pdc bdc PerlAddVar ntdomain "office.domain.com 172.16.48.3" PerlAddVar ntdomain "domain 172.16.48.3" PerlSetVar defaultdomain office.domain.com PerlSetVar ntlmdebug 1
Just a suggestion is maybe worth confirming the version number of Apache::AuthenNTLM maybe it higher debug level, as I've installed version 0.23 before and have installed your 2.04 over the top and restarted the HTTP servers. Now I'm not sure if its 2.04 I'm actually running.
Your help or pointers would be much appreciated.
Many Thanks
Darryl
-- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
