-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Greetings!
After Piotras fixed the NTLM problems in Midgard it has generally been working well. However, now I'm trying to set up NTLM on a new client and get the following problem.
IE 6.0 on WinXP Pro doesn't even seem to try doing the NTLM thing, it just says "Cannot find server", with the following going to winbindd log:
[ 4063]: request interface version [ 4063]: request location of privileged pipe [ 4063]: request domain name [ 4063]: request netbios name
In Apache log: 10.0.3.149 - - [30/Dec/2004:15:11:13 +0200] "GET / HTTP/1.1" 401 471 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)" 10.0.3.149 - - [30/Dec/2004:15:11:13 +0200] "GET / HTTP/1.1" 401 471 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
(NTLM dialogue should be in three parts, but here are only two requests)
Firefox tries to do NTLM auth, but fails with the following in winbind log:
[ 3860]: request interface version [ 3860]: request location of privileged pipe [ 3860]: pam auth crap domain: EUFOR user: TESTAM2 Using cleartext machine password cred_create cred_create cred_assert NTLM CRAP authentication for user [EUFOR]\[TESTAM2] returned NT_STATUS_WRONG_PASSWORD (PAM: 7)
In Apache log: 10.0.3.149 - - [30/Dec/2004:15:10:29 +0200] "GET / HTTP/1.1" 401 471 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fi-FI; rv:1.7.5) Gecko/20041108 Firefox/1.0" 10.0.3.149 - - [30/Dec/2004:15:10:29 +0200] "GET / HTTP/1.1" 401 471 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fi-FI; rv:1.7.5) Gecko/20041108 Firefox/1.0" 10.0.3.149 - - [30/Dec/2004:15:10:29 +0200] "GET / HTTP/1.1" 401 471 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fi-FI; rv:1.7.5) Gecko/20041108 Firefox/1.0"
This is with Active Directory, and winbindd version 3.0.4.
Additional note: I'm would like to set the system up so that users from internal network would use NTLM and from external PAM. The hosts are separate (http://intra and https://intra.example.com).
However, PAM and NTLM seem to require different settings to Samba.
For PAM to work, the setting is: winbind use default domain = true
And according to Piotras it should be for NTLM: winbind use default domain = false
Ideas? I thought NTLM shouldn't require a password as it works through Kerberos. As to IE refusing to display the page, that would suggest there are also other problems at work here.
Oh, and testing things from command line:
# wbinfo -a testam2%<password> plaintext password authentication succeeded challenge/response password authentication succeeded
/Bergie
- -- Henri Bergius [EMAIL PROTECTED] Consultant Partner Tel: +358-20-198 6032 Nemein Oy http://www.nemein.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB1ALwNkT8k497k9IRAvs0AJ9/dXSx9+FLmMWj9/2lesK7plAdzACfVI63 cSKj5c2iz0vyOoTHSROK89g= =q6zD -----END PGP SIGNATURE-----
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
