10201 – mod_auth_ntlm_winbind doesn't work on samba4 with BH responses on KK response

Bug 10201 - mod_auth_ntlm_winbind doesn't work on samba4 with BH responses on KK response

Summary: mod_auth_ntlm_winbind doesn't work on samba4 with BH responses on KK response

Status:	NEEDINFO

Alias:	None

Product:	mod_auth_ntlm_winbind
Classification:	Unclassified
Component:	module (show other bugs)
Version:	0.1
Hardware:	x64 Linux

Importance:	P5 major
Target Milestone:	---
Assignee:	Lars Müller
QA Contact:	Gerald (Jerry) Carter (dead mail address)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-10-14 13:44 UTC by Matt Rusiniak
Modified:	2014-07-14 06:27 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matt Rusiniak 2013-10-14 13:44:24 UTC

Overview:
I've been running mod_auth_ntlm_winbind on a samba3 client with great success over the last couple of years. I attempted to upgrade to samba4.0.10 (archlinux) and mod_auth_ntlm_winbind always fails with BH NT_STATUS_UNSUCCESSFUL.

Steps to reproduce:
(using a function samba3 install)
- net ads leave
- stop smbd/nmbd/winbindd
- upgrade to samba4 (leave same config from samba 3), using Archlinux package manager (pacman -S samba smbclient)
- net ads join
- start smbd/nmbd/winbindd
- test functionality with ntlm_auth (returns NT_STATUS_OK: Success (0x0)), wbinfo -u, wbinfo -g, wbinfo -p
- restart apache (kill all ntlm_auth helpers)
- try to access website with NTLMAuth enabled

Actual results (all base64 strings have been snipped for anonymity, I have decoded them and they all look correct):
[Fri Oct 11 02:15:10 2013] [debug] mod_auth_ntlm_winbind.c(653): [client 10.21.80.126] creating auth user
[Fri Oct 11 02:15:10 2013] [debug] mod_auth_ntlm_winbind.c(704): [client 10.21.80.126] parsing reply from helper to YR base64_snipped
[Fri Oct 11 02:15:10 2013] [debug] mod_auth_ntlm_winbind.c(742): [client 10.21.80.126] got response: TT base64_snipped
[Fri Oct 11 02:15:10 2013] [debug] mod_auth_ntlm_winbind.c(412): [client 10.21.80.126] sending back base64_snipped
[Fri Oct 11 02:15:10 2013] [debug] mod_auth_ntlm_winbind.c(1019): [client 10.21.80.126] doing ntlm auth dance
[Fri Oct 11 02:15:10 2013] [debug] mod_auth_ntlm_winbind.c(485): [client 10.21.80.126] Using existing auth helper 7001
[Fri Oct 11 02:15:10 2013] [debug] mod_auth_ntlm_winbind.c(704): [client 10.21.80.126] parsing reply from helper to KK base64_snipped
[Fri Oct 11 02:15:10 2013] [debug] mod_auth_ntlm_winbind.c(742): [client 10.21.80.126] got response: BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL
[Fri Oct 11 02:15:10 2013] [error] [client 10.21.80.126] (20014)Internal error: ntlm_auth reports Broken Helper: BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL

Expected results (all base64 strings have been snipped for anonymity, I have decoded them and they all look correct):
[Fri Oct 11 08:44:13 2013] [debug] mod_auth_ntlm_winbind.c(653): [client 10.21.80.126] creating auth user
[Fri Oct 11 08:44:13 2013] [debug] mod_auth_ntlm_winbind.c(704): [client 10.21.80.126] parsing reply from helper to YR base64_snipped
[Fri Oct 11 08:44:13 2013] [debug] mod_auth_ntlm_winbind.c(742): [client 10.21.80.126] got response: TT 64_snipped
[Fri Oct 11 08:44:13 2013] [debug] mod_auth_ntlm_winbind.c(412): [client 10.21.80.126] sending back 64_snipped
[Fri Oct 11 08:44:14 2013] [debug] mod_auth_ntlm_winbind.c(1019): [client 10.21.80.126] doing ntlm auth dance
[Fri Oct 11 08:44:14 2013] [debug] mod_auth_ntlm_winbind.c(485): [client 10.21.80.126] Using existing auth helper 27472
[Fri Oct 11 08:44:14 2013] [debug] mod_auth_ntlm_winbind.c(704): [client 10.21.80.126] parsing reply from helper to KK 64_snipped
[Fri Oct 11 08:44:14 2013] [debug] mod_auth_ntlm_winbind.c(742): [client 10.21.80.126] got response: AF DOMAIN.COM+username
[Fri Oct 11 08:44:14 2013] [debug] mod_auth_ntlm_winbind.c(788): [client 10.21.80.126] authenticated DOMAIN.COM+username

uname -a:
Linux MRGTLBOX 3.11.4-1-ARCH #1 SMP PREEMPT Sat Oct 5 21:22:51 CEST 2013 x86_64 GNU/Linux

samba4 version tested: 4.0.10
samba3 version tested: 3.6.10

Comment 1 dan 2014-04-07 14:52:27 UTC

I'm seeing exactly the same issue with Ubuntu 14.04 with samba 4.1.6-Ubuntu

Winbind and other checks against NTLM work fine.

Comment 2 Lars Müller 2014-04-21 15:41:25 UTC

Please reopen if this is still the case with the current Samba 4.0 or 4.1 code
base?

Have you consider to use the Apache mod_auth_kerb from
http://modauthkerb.sourceforge.net/ instead?

Comment 3 Lars Müller 2014-04-21 15:46:57 UTC

Oooops, this bug is still open with intention.

We like to know from you if mod_auth_kerb isn't a possible alternative to address your needs.  This module is actively developed while mod_auth_ntlm no longer sees enhancements since quite some time.

Comment 4 Peter 2014-07-14 06:27:20 UTC

I too have just migrated to Ubuntu 14.04 and my NTLM SSO login
is also broken.

Whilst agreeing that the mod_auth_kerb is a superior solution, it is 
a real nightmare to impliment on my site.

So much so .. that I am going to have to downgrade Samba to version 3,
just to keep us working

Please ...please can we revisit this.

TIA
Peter