I have a working Samba/WinBind installation on an openSUSE 12.3 installation. I can login with my Windows credentials via SSH without any issues.
I’m now trying to use mod_auth_ntlm_winbind to implement SSO on a website hosted on this server. I’ve setup my environment according to the adLDAP site. I can pass all tests:
- kinit username@TEST.COM
- klist
- wbinfo -t
- wbinfo -u
- wbinfo -g
I’ve added the wwwrun user account to the winbind group.
My problem seems to be that the Apache server can’t write to the winbindd_privileged directory/pipe. Here are the relevant messages from the Apache error_log:
[Sun May 05 09:59:03 2013] [debug] mod_auth_ntlm_winbind.c(482): [client X.X.X.X] Launched ntlm_helper, pid 4489
[Sun May 05 09:59:03 2013] [debug] mod_auth_ntlm_winbind.c(652): [client X.X.X.X] creating auth user
[Sun May 05 09:59:03 2013] [debug] mod_auth_ntlm_winbind.c(693): [client X.X.X.X] failed to write NTLMSSP string to helper - wrote 0 bytes
That is all the lines I get per page request.
I’ve changed the rights on the winbindd_privileged directory to 777 just to see if that helped and it didn’t. I’ve read through the code for mod_auth_ntlm_winbind and basically it says that if the # of bytes written to the helper are not equal to the expected # of bytes they the server request will fail with a 500 which is what I am getting.
My browser is set to see the site in question as a local intranet site (IE 8.0).
I’ve run Wireshark and tcpdump on the client and server and I can see that the client sends in a NTLM negotiate request to the server in the initial request so it looks like it should work but I’m getting no where.
Anyone have any idea where I’m going wrong?
Thanks,
Mike
Configs:
(NOTE: I have checked: KeepAlive On is configured by default in the distribution)
vhost.conf
<Directory “/srv/test-vhost/htdocs”>
AuthName “NTLM Authentication thingy”
NTLMAuth on
NegotiateAuth on
NTLMAuthHelper “/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp”
NegotiateAuthHelper “/usr/bin/ntlm_auth --helper-protocol=gss-spnego”
NTLMBasicAuthoritative off
AuthType NTLM
#AuthType Negotiate
require valid-user
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
smb.conf
[global]
log level = 5
workgroup = TEST
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
logon path = \%L\profiles.msprofile](file://\%L\profiles.msprofile)
logon home = \%L%U.9xprofile](file://\%L%U.9xprofile)
logon drive = P:
usershare allow guests = No
#idmap gid = 10000-20000
#idmap uid = 10000-20000
kerberos method = secrets and keytab
realm = TEST.COM
preferred master = no
security = ADS
encrypt passwords = yes
template homedir = /home/%D/%U
template shell = /bin/bash
winbind refresh tickets = yes
winbind use default domain = yes
winbind nested groups = yes
winbind offline logon = yes
krb5.conf
[libdefaults]
default_realm = TEST.COM
clockskew = 300
default_realm = EXAMPLE.COM
[realms]
TEST.COM = {
kdc = dc01.test.com
default_domain = test.com
admin_server = dc01.test.com:749
}
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.test.com = TEST.COM
test.com = TEST.COM
[appdefaults]
pam = {
debug = true
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
external = sshd
use_shmem = sshd
clockskew = 300
}