mod_auth_ntlm_winbind SSO not working

English Network/Internet
1

I have a working Samba/WinBind installation on an openSUSE 12.3 installation. I can login with my Windows credentials via SSH without any issues.

I’m now trying to use mod_auth_ntlm_winbind to implement SSO on a website hosted on this server. I’ve setup my environment according to the adLDAP site. I can pass all tests:

I’ve added the wwwrun user account to the winbind group.

My problem seems to be that the Apache server can’t write to the winbindd_privileged directory/pipe. Here are the relevant messages from the Apache error_log:

[Sun May 05 09:59:03 2013] [debug] mod_auth_ntlm_winbind.c(482): [client X.X.X.X] Launched ntlm_helper, pid 4489
[Sun May 05 09:59:03 2013] [debug] mod_auth_ntlm_winbind.c(652): [client X.X.X.X] creating auth user
[Sun May 05 09:59:03 2013] [debug] mod_auth_ntlm_winbind.c(693): [client X.X.X.X] failed to write NTLMSSP string to helper - wrote 0 bytes

That is all the lines I get per page request.

I’ve changed the rights on the winbindd_privileged directory to 777 just to see if that helped and it didn’t. I’ve read through the code for mod_auth_ntlm_winbind and basically it says that if the # of bytes written to the helper are not equal to the expected # of bytes they the server request will fail with a 500 which is what I am getting.

My browser is set to see the site in question as a local intranet site (IE 8.0).

I’ve run Wireshark and tcpdump on the client and server and I can see that the client sends in a NTLM negotiate request to the server in the initial request so it looks like it should work but I’m getting no where.

Anyone have any idea where I’m going wrong?

Thanks,

Mike

Configs:

(NOTE: I have checked: KeepAlive On is configured by default in the distribution)

vhost.conf
<Directory “/srv/test-vhost/htdocs”>
AuthName “NTLM Authentication thingy”
NTLMAuth on
NegotiateAuth on
NTLMAuthHelper “/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp”
NegotiateAuthHelper “/usr/bin/ntlm_auth --helper-protocol=gss-spnego”
NTLMBasicAuthoritative off
AuthType NTLM
#AuthType Negotiate

require valid-user

Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>

smb.conf

[global]
log level = 5
workgroup = TEST
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
logon path = \%L\profiles.msprofile](file://\%L\profiles.msprofile)
logon home = \%L%U.9xprofile](file://\%L%U.9xprofile)
logon drive = P:
usershare allow guests = No
#idmap gid = 10000-20000
#idmap uid = 10000-20000
kerberos method = secrets and keytab
realm = TEST.COM
preferred master = no
security = ADS
encrypt passwords = yes
template homedir = /home/%D/%U
template shell = /bin/bash
winbind refresh tickets = yes
winbind use default domain = yes
winbind nested groups = yes
winbind offline logon = yes

krb5.conf

[libdefaults]
default_realm = TEST.COM
clockskew = 300

default_realm = EXAMPLE.COM

[realms]
TEST.COM = {
kdc = dc01.test.com
default_domain = test.com
admin_server = dc01.test.com:749
}

EXAMPLE.COM = {

kdc = kerberos.example.com

admin_server = kerberos.example.com

}

[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.test.com = TEST.COM
test.com = TEST.COM
[appdefaults]
pam = {
debug = true
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
external = sshd
use_shmem = sshd
clockskew = 300
}

2

So your question is beyond me, but a few facts are in order. winbind is only used in an Active Windows Domain setup and not required in a peer-to-peer sharing setup. I have a bash script that might be useful on a PC running openSUSE to check your smb.conf file for errors and to make sure the right services are running. Have a look here: S.A.C.T. - Samba Automated Configuration Tool - Version 1.06 - Blogs - openSUSE Forums Also in forum posts, be sure to use code # tags for configuration file and other such text posts. See your quote above to see what I mean.

Thank You,

3

James - thanks for the posting input. Duly noted.

Anyone else (including James)… I’ve done some more debugging and I’m starting to wonder if there is actually a bug or not. I ran strace on a standalone httpd2 instance to see what I could find and here is a relevant section of output:

open("/srv/test/htdocs/.htaccess", O_RDONLY|O_CLOEXEC) = 11
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7faa14d15000
fstat(11, {st_mode=S_IFREG|0644, st_size=99, ...}) = 0
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7faa14d12000
read(11, "AcceptPathInfo on
RewriteEngine "..., 4096) = 99
read(11, "", 4096)                      = 0
close(11)                               = 0
pipe([11, 12])                          = 0
fcntl(12, F_GETFD)                      = 0
fcntl(12, F_SETFD, FD_CLOEXEC)          = 0
pipe([13, 14])                          = 0
fcntl(13, F_GETFD)                      = 0
fcntl(13, F_SETFD, FD_CLOEXEC)          = 0
access("/usr/bin/ntlm_auth", X_OK)      = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7faa1ae2ba10) = 9153
close(11)                               = 0
close(14)                               = 0
gettimeofday({1367866888, 258653}, NULL) = 0
write(6, "[Mon May 06 15:01:28 2013] [debu"..., 117) = 117
gettimeofday({1367866888, 258718}, NULL) = 0
write(6, "[Mon May 06 15:01:28 2013] [debu"..., 105) = 105
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7faa14d10000
write(12, "YR TlRMTVNTUAABAAAAl4II4gAAAAAAA"..., 1499980322689777724) = -1 EFAULT (Bad address)
gettimeofday({1367866888, 258823}, NULL) = 0
write(6, "[Mon May 06 15:01:28 2013] debu"..., 143) = 143
close(13)                               = 0
close(12)                               = 0
stat("/usr/share/apache2/error/HTTP_INTERNAL_SERVER_ERROR.html.var", {st_mode=S_IFREG|0644, st_size=13403, ...}) = 0

As you can see, there is a pipe opened between file descriptor 11 and 12. The ntlm_auth helper is started and a little further down a write is made to file descriptor 12. The length of data to be written seems WAY off unless my limited understanding is wrong. If I am correct it would seem that the memory size is bad at this point and this is why it fails (error -1 EFAULT).

Any insight is helpful.

Thanks,

Mike

4

Although I also haven’t looked at this closely, it’s my general understanding that this module implements NTLM authentication which would ordinarily be useful in a Windows Domain (today, for Windows authentication where Kerberos isn’t useful, eg using application gateways like webservers, in this case Apache), but is not used only in Windows Domains.

NTLM authentication for instance might point to a standadalone Windows machine. In theory, I suppose it might be used on a SAMBA only machine in a network completely without any Windows although I doubt it’d be the first recommended choice.

I might consider using NTLM in a scenario entirely without Windows if the application (eg web application framework) was fundamentally based on passing NTLM tokens.

TSU

5

Maybe I wasn’t exactly clear. I have a working Windows 2008 R2 Active Directory environment. I’ve built several web applications that run on openSUSE servers under Apache. The openSUSE systems all can be connected to via ssh and Windows login credentials are working just fine to authenticate access to the Linux hosts as well as authorize use of the Linux hosts. What I’m trying to achieve is to implement SSO to the web applications so that I can retrieve the usernames of my internal users and therefore pre-populate user information via LDAP queries in the internal web applications.

mod_auth_ntlm_winbind implements SSO according to the adLDAP site (referred to in my first post). While this module is an old module it really is a simple pass through to the underlying Samba/Winbind environment that performs the actual authentication. Since I know the Samba/Winbind authentication is working (i.e. I can log in via ssh) my assumption is that the ntlm_auth helper is failing to write to the winbindd_privileged pipe which would then use the winbind environment to perform the authentication.

Hopefully that clears up my intention and issue.

Thanks,

Mike

6

First, I would still stick with my original statement that the issue is beyond me, so that there is no doubt. But, almost all issues with Samba in openSUSE is due to one of three things, bad smb.conf file, lack of proper rights for the files and folders being shared and a incorrect Samba user database. Without a doubt, I don’t use a Windows domain for my Samba testing and so there is more that could be wrong. I would like to have you run these commands in terminal of the openSUSE PC running Samba to see what you get and could post here in a code block.

testparm -s

testparm -sv

I would highly recommend you check out the Samba Web Site here: Samba - opening windows to a wider world and there is nothing wrong in getting a copy of bash script SACT as it includes the two commands I mention as a menu option you can run. Samba 4 is out also and while I have not used it, its another option you could go for (on your own) if you wanted to give it a try.

Thank You,

7

Cool.

Yes, NTLM support is required when implementing SSO for web applications because this is one of those instances where the client ordinarily can’t use Kerberos. Typically the client connection to the webserver uses the NTLM protocol because it’s “public Internet friendly” and doesn’t require additional security (eg SSL). I don’t know if SAMBA supports, but “NTLM digest” can be a lightweight alternative to regular NTLM. This assumes that Apache is simply passing tokens to SAMBA and is not able to proxy/convert to Kerberos which would be the preferred method if supported.

Hmmmm… more stuff to investigate and update myself when I come across this next.

HTH,
TSU

8

Hi,
Just to say that I have the same problem You have in SLES.

About a month ago because I was in the same situation You are and I’m back there. I downloaded the latest git version and created a new rpm with that. I may say that didn’t solved the problem. Because I didn’t had time to experiment on that machine for a month until yesterday. know is working with no intervention.

yesterday I deployed a new machine with the same configuration and guess what, I’m back to the same errors in authentication.

I’ve been looking for solutions on the net but no luck yet.

Best regards,
Alvega.

9

Hi
Does this link help?

10

Having experienced the same errors as the OP (“failed to write NTLMSSP string to helper - wrote 0 bytes”) on SLES 11 SP2 I found this thread where the last post points to some minor fixes needed for the definition of “bytes_written” in the source. I believe this bug only appears on 64bit platforms.

The official patch found it’s way upstream on Nov 2007 but regrettably the fix was never backported in SLES.
And because this package is in the SLES SDK where no support is provided by SUSE, as much as I’d like to I can’t open a support case to get this fixed.

So here is how I rebuilt apache2-mod_auth_ntlm_winbind-0.0.0.lorikeet_svn_682-1.18.rpm from the SLE 11 SP2 SDK with the above patch to get rid of this error:

  1. Download SLE-11-SP2-SDK-DVD-x86_64-GM-DVD2.iso from download.suse.com
  2. Extract apache2-mod_auth_ntlm_winbind-0.0.0.lorikeet_svn_682-1.18.src
    .rpm from the ISO. 1. On a **SLES **
    system run the these commands:

# install the sources
sudo rpm -i apache2-mod_auth_ntlm_winbind-0.0.0.lorikeet_svn_682-1.18.src.rpm

# install the prerequisite apxs2, for builing from source
sudo zypper install apache2-devel

# create a temporary buildroot, I use /tmp/build as a example
mkdir /tmp/build
cd /tmp/build
mkdir BUILD RPMS SOURCES SPECS SRPMS
mkdir RPMS/{i386,i486,i586,i686,noarch,athlon}

# copy the sources
cp /usr/src/packages/SOURCES/mod_auth_ntlm_winbind-0.0.0.lorikeet_svn_682.tar.bz2 SOURCES/
cp /usr/src/packages/SPECS/apache2-mod_auth_ntlm_winbind.spec SPECS/

# grab the patch
wget 'http://git.samba.org/?p=jerry/mod_auth_ntlm_winbind.git;a=commitdiff_plain;h=e7c5973f8b605c1b1a72a9274820a4139dfc12a9' -O SOURCES/zero-bytes.patch

# update the RPM .spec
patch SPECS/apache2-mod_auth_ntlm_winbind.spec <<EOF
--- SPECS/apache2-mod_auth_ntlm_winbind.spec.old        2014-01-18 14:03:40.000000000 +0100
+++ SPECS/apache2-mod_auth_ntlm_winbind.spec    2014-01-18 14:27:53.000000000 +0100
@@ -22,7 +22,7 @@
 %define apache_localstatedir %(%{apxs} -q LOCALSTATEDIR)
 %define apache_mmn        %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN)
 Version:        0.0.0.lorikeet_svn_682
-Release:        1.18
+Release:        1.18.1
 License:        The Apache Software License
 Group:          Productivity/Networking/Web/Servers
 Requires:       apache2 %{apache_mmn} samba-winbind
@@ -32,6 +32,7 @@
 Source:         %{modname}-%{version}.tar.bz2
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 #Docdir:         %{_defaultdocdir}/%{apache}
+Patch0:         zero-bytes.patch

 %description
 mod_auth_ntlm_winbind is an Apache module to authenticate users and
@@ -56,6 +57,7 @@

 %prep
 %setup -n %{modname}-%{version}
+%patch0 -p1

 %build
 %{apxs} -c -D APACHE2 mod_auth_ntlm_winbind.c
EOF

# build the RPM
rpmbuild -bb --define '_topdir /tmp/build' /tmp/build/SPECS/apache2-mod_auth_ntlm_winbind.spec

If you are lucky then you should find a new rpm in /tmp/build/RPMS/x86_64/ with a “.1” version that includes the above patch.

I’ve only tested this for a few hours. So far the error “failed to write NTLMSSP string to helper - wrote 0 bytes” did not appear anymore in the apache logs and NTLM auth with winbind seems to work reliably.

It would be great if someone from SUSE could backport this patch into SLES and openSUSE. Thanks.

HTH