Overview: I've been running mod_auth_ntlm_winbind on a samba3 client with great success over the last couple of years. I attempted to upgrade to samba4.0.10 (archlinux) and mod_auth_ntlm_winbind always fails with BH NT_STATUS_UNSUCCESSFUL. Steps to reproduce: (using a function samba3 install) - net ads leave - stop smbd/nmbd/winbindd - upgrade to samba4 (leave same config from samba 3), using Archlinux package manager (pacman -S samba smbclient) - net ads join - start smbd/nmbd/winbindd - test functionality with ntlm_auth (returns NT_STATUS_OK: Success (0x0)), wbinfo -u, wbinfo -g, wbinfo -p - restart apache (kill all ntlm_auth helpers) - try to access website with NTLMAuth enabled Actual results (all base64 strings have been snipped for anonymity, I have decoded them and they all look correct): [Fri Oct 11 02:15:10 2013] [debug] mod_auth_ntlm_winbind.c(653): [client 10.21.80.126] creating auth user [Fri Oct 11 02:15:10 2013] [debug] mod_auth_ntlm_winbind.c(704): [client 10.21.80.126] parsing reply from helper to YR base64_snipped [Fri Oct 11 02:15:10 2013] [debug] mod_auth_ntlm_winbind.c(742): [client 10.21.80.126] got response: TT base64_snipped [Fri Oct 11 02:15:10 2013] [debug] mod_auth_ntlm_winbind.c(412): [client 10.21.80.126] sending back base64_snipped [Fri Oct 11 02:15:10 2013] [debug] mod_auth_ntlm_winbind.c(1019): [client 10.21.80.126] doing ntlm auth dance [Fri Oct 11 02:15:10 2013] [debug] mod_auth_ntlm_winbind.c(485): [client 10.21.80.126] Using existing auth helper 7001 [Fri Oct 11 02:15:10 2013] [debug] mod_auth_ntlm_winbind.c(704): [client 10.21.80.126] parsing reply from helper to KK base64_snipped [Fri Oct 11 02:15:10 2013] [debug] mod_auth_ntlm_winbind.c(742): [client 10.21.80.126] got response: BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL [Fri Oct 11 02:15:10 2013] [error] [client 10.21.80.126] (20014)Internal error: ntlm_auth reports Broken Helper: BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL Expected results (all base64 strings have been snipped for anonymity, I have decoded them and they all look correct): [Fri Oct 11 08:44:13 2013] [debug] mod_auth_ntlm_winbind.c(653): [client 10.21.80.126] creating auth user [Fri Oct 11 08:44:13 2013] [debug] mod_auth_ntlm_winbind.c(704): [client 10.21.80.126] parsing reply from helper to YR base64_snipped [Fri Oct 11 08:44:13 2013] [debug] mod_auth_ntlm_winbind.c(742): [client 10.21.80.126] got response: TT 64_snipped [Fri Oct 11 08:44:13 2013] [debug] mod_auth_ntlm_winbind.c(412): [client 10.21.80.126] sending back 64_snipped [Fri Oct 11 08:44:14 2013] [debug] mod_auth_ntlm_winbind.c(1019): [client 10.21.80.126] doing ntlm auth dance [Fri Oct 11 08:44:14 2013] [debug] mod_auth_ntlm_winbind.c(485): [client 10.21.80.126] Using existing auth helper 27472 [Fri Oct 11 08:44:14 2013] [debug] mod_auth_ntlm_winbind.c(704): [client 10.21.80.126] parsing reply from helper to KK 64_snipped [Fri Oct 11 08:44:14 2013] [debug] mod_auth_ntlm_winbind.c(742): [client 10.21.80.126] got response: AF DOMAIN.COM+username [Fri Oct 11 08:44:14 2013] [debug] mod_auth_ntlm_winbind.c(788): [client 10.21.80.126] authenticated DOMAIN.COM+username uname -a: Linux MRGTLBOX 3.11.4-1-ARCH #1 SMP PREEMPT Sat Oct 5 21:22:51 CEST 2013 x86_64 GNU/Linux samba4 version tested: 4.0.10 samba3 version tested: 3.6.10
I'm seeing exactly the same issue with Ubuntu 14.04 with samba 4.1.6-Ubuntu Winbind and other checks against NTLM work fine.
Please reopen if this is still the case with the current Samba 4.0 or 4.1 code base? Have you consider to use the Apache mod_auth_kerb from http://modauthkerb.sourceforge.net/ instead?
Oooops, this bug is still open with intention. We like to know from you if mod_auth_kerb isn't a possible alternative to address your needs. This module is actively developed while mod_auth_ntlm no longer sees enhancements since quite some time.
I too have just migrated to Ubuntu 14.04 and my NTLM SSO login is also broken. Whilst agreeing that the mod_auth_kerb is a superior solution, it is a real nightmare to impliment on my site. So much so .. that I am going to have to downgrade Samba to version 3, just to keep us working Please ...please can we revisit this. TIA Peter