Hello!
I've got a (I think) very strange issue with the AuthenNTLM and my
Samba-based windows domain.
I'd like to obtain the usual - all domain authenticated users should be
also authenticated by the apache (which will afterwards allow them to
use some of our Intranet web applications).
Although there are many reports of similar problems on the web nothing
really helps in my case. So... I'd like to ask for some help.
The background:
Apache HTTPd - 2.0.54
Apache2::AuthenNTLM - 0.02
Authen::Smb - 0.96
Samba - 3.0.14a-2
[EMAIL PROTECTED] ~]$ read -s DOMAIN_PASSWORD
[EMAIL PROTECTED] ~]$ smbclient -L //devel -U manthios%${DOMAIN_PASSWORD}
2>&1 1> /dev/null
Domain=[SOFTWARE] OS=[Unix] Server=[Samba 3.0.10-1.fc2]
Domain=[SOFTWARE] OS=[Unix] Server=[Samba 3.0.10-1.fc2]
[EMAIL PROTECTED] ~]$ echo $?
0
Hence the account is ok, I can log in, browse the shares, etc.
Now the httpd.conf:
<Location /ntlm>
PerlAuthenHandler Apache2::AuthenNTLM
AuthType ntlm
AuthName test
require valid-user
# I use only one domain, hence SetVar; moreover for the sake of
# clarity, I've put only pdc
PerlSetVar ntdomain "software devel"
PerlSetVar defaultdomain software
PerlSetVar ntlmsemtimeout 60
PerlSetVar ntlmsemkey 234523
PerlSetVar fallbackdomain software
PerlSetVar splitdomainprefix 1
PerlSetVar ntlmdebug 2
</Location>
And the problem is that... it doesn't work :/
Here's the error_log from the Apache httpd server taken for a single
session:
---
[8683] AuthenNTLM: Start NTLM Authen handler pid = 8683, connection =
154708592 conn_http_hdr = Keep-Alive main = cuser = remote_ip =
10.29.0.162 remote_port = 13106 remote_host = <> version = 0.02 smbhandle =
[8683] AuthenNTLM: leave lock
[8683] AuthenNTLM: Setup new object
[8683] AuthenNTLM: Config Domain = software pdc = devel bdc =
[8683] AuthenNTLM: Config Default Domain = software
[8683] AuthenNTLM: Config Fallback Domain = software
[8683] AuthenNTLM: Config AuthType = ntlm AuthName = test
[8683] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0
[8683] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative = on
[8683] AuthenNTLM: Config Semaphore key = 234523 timeout = 60
[8683] AuthenNTLM: Config SplitDomainPrefix = 1
[8683] AuthenNTLM: Authorization Header <not given>
[Fri Oct 21 15:23:07 2005] [error] Bad/Missing NTLM/Basic Authorization
Header for /ntlm/
[8686] AuthenNTLM: Start NTLM Authen handler pid = 8686, connection =
154708592 conn_http_hdr = Keep-Alive main = cuser = remote_ip =
10.29.0.162 remote_port = 13106 remote_host = <> version = 0.02 smbhandle =
[8686] AuthenNTLM: Setup new object
[8686] AuthenNTLM: Config Domain = software pdc = devel bdc =
[8686] AuthenNTLM: Config Default Domain = software
[8686] AuthenNTLM: Config Fallback Domain = software
[8686] AuthenNTLM: Config AuthType = ntlm AuthName = test
[8686] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0
[8686] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative = on
[8686] AuthenNTLM: Config Semaphore key = 234523 timeout = 60
[8686] AuthenNTLM: Config SplitDomainPrefix = 1
[8686] AuthenNTLM: Authorization Header NTLM
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==
[8686] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 1 0 0 0 7 130 8 162 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 5 2 206 14 0 0 0 15
[8686] AuthenNTLM: protocol=NTLMSSP, type=1,
flags1=7(NEGOTIATE_UNICODE,NEGOTIATE_OEM,REQUEST_TARGET),
flags2=130(NEGOTIATE_ALWAYS_SIGN,NEGOTIATE_NTLM), domain length=0,
domain offset=0, host length=0, host offset=0, host=, domain=
[8686] handler type == 1
[8686] AuthenNTLM: Connect to pdc = devel bdc = domain = software
[8686] AuthenNTLM: enter lock
[8686] AuthenNTLM: verify handle smbhandle == 155999112
[8686] AuthenNTLM: Send: 78 84 76 77 83 83 80 0 2 0 0 0 0 0 0 0 40 0 0 0
1 130 0 0 163 173 115 146 235 200 12 160 0 0 0 0 0 0 0 0
[8686] AuthenNTLM: charencoding = 1
[8686] AuthenNTLM: flags2 = 130
[8686] AuthenNTLM: nonce=£sëÈ�
[8686] AuthenNTLM: Send header: NTLM
TlRMTVNTUAACAAAAAAAAACgAAAABggAAo61zkuvIDKAAAAAAAAAAAA==
[8686] AuthenNTLM: verify handle = 1 smbhandle == 155999112
---
(This is a record of a session initiated by a windows user.)
To make the matters more complicated... Whenevere I try to login I
receive a http login screen (how come - "Auth Basic = 0"?) although the
key point of NTLM is that I shouldn't (I guess).
I had to change the semaphore key number, since with the default one, I
always received a timeout (no matter how long the timeout really was).
I'd appreciate any kind of help. Even RTFM is ok, as long as the M is
"the thing" that may help :)
Before I try to hack the code I'd like to know if there is a simple
answer, that could save me a lot of work (learning NTLM internals).
Thank you in advance.
(I had to use the UTF-8 since log files give such results.)
Best regards,
Pawel Sawicki
