Hello,

I have trouble setting up SSO on an apache server with the mod_auth_ntlm_winbind module.

Apologies for any bad english.

More on the background: Internal website needs seamless authentication (no need to input login/password). Apache server is set up on linux machine. People are accessing the website from windows machines. I looked up on internet and decided to go for mod_auth_ntlm_winbind module. http://adldap.sourceforge.net/wiki/d...authentication

More on the problem: When trying to load pages i am asked for login/password to authenticate (which should not happen since it is supposed to be seamless) and even when providing good login/password the authentication fails.

This is my apache error_log:

[debug] mod_auth_ntlm_winbind.c(1019): [client ip] doing ntlm auth dance
[debug] mod_auth_ntlm_winbind.c(483): [client ip] Launched ntlm_helper, pid ***
[debug] mod_auth_ntlm_winbind.c(653): [client ip] creating auth user
[debug] mod_auth_ntlm_winbind.c(704): [client ip] parsing reply from helper to YR ADSFDDGuhkdsvIHJUGFVGFFBf
[debug] mod_auth_ntlm_winbind.c(742): [client ip] got response: TT TRIOASDFYBTdfDGFTFDsnvudnsofOHGEWCHIFRgf
[debug] mod_auth_ntlm_winbind.c(412): [client ip] sending back RFDTGTRFGTFFHTRTSSSDPKIQSTJHIfdhrsdrferwfeDGFHGFYHN
[debug] mod_auth_ntlm_winbind.c(1019): [client ip] doing ntlm auth dance
[debug] mod_auth_ntlm_winbind.c(485): [client ip] Using existing auth helper 12556
[debug] mod_auth_ntlm_winbind.c(704): [client ip] parsing reply from helper to KK FDHGFHHFHGFdgfqqwdrckinuliFGGERBHYUXEUTO
[debug] mod_auth_ntlm_winbind.c(742): [client ip] got response: NA NT_STATUS_NO_SUCH_USER
[debug] mod_auth_ntlm_winbind.c(766): [client ip] user not authenticated: NT_STATUS_NO_SUCH_USER

I thus went looking into winbindd.log and the attempt of connexion I saw was with following user: "[internalURLofmywebsite]\[loginIprovidedInDialogBox]"

The most worrying is that I don't see any attempt with automticly provided username.(Authentication should be seamless and what I see in winbindd.log is directly linked to the username I entered in the dialog box). Then since there is no link between the url of my website and my ActiveDirectory DOMAIN i understand i have a NT_STATUS_NO_SUCH_USER.

I provided below my different configurations. Any help would be great. My two questions are: how to check an authomatic attempt of authentication was done (or why it doesn't seem to happen for me), and then more generaly, where does the username and domain "comes from" in NTLM SSO?

-ntlm_auth --helper-protocol=squid-2.5-basic works fine from the command line:

ntlm_auth --helper-protocol=squid-2.5-basic
DOMAIN\myuser myPassword
OK



-I had authorization problem on winbindd_privileged but fixed it with:

chmod 750 /var/run/samba/winbindd_privileged



-Apache httpd.conf (website is in htdocs)

KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15

<Directory /usr/local/apache2/htdocs>
AllowOverride All
Order allow,deny
Allow from all
AuthName "NTLM Authentication thingy"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
</Directory>



-nsswitch

passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns

-Samba smb.conf
workgroup = MYDOMAIN
password server = *****
realm = MYDOMAIN.COM
security = ads
allow trusted domains = no
idmap domains = MYDOMAIN
idmap config MYDOMAIN: default = yes
idmap config MYDOMAIN: backend = rid
idmap config MYDOMAIN: range = 16777216-33554431
idmap alloc config: range 16777216-33554431
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = yes


Thanks a lot