Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: winbind ntlm_auth problem with group membership |
|
| Author |
|
twinturbo
Joined: 23 May 2013
Posts: 2
Location: UK, Carlisle
|
 Posted: Thu 23 May '13 12:16 Post subject: winbind ntlm_auth problem with group membership |
 |
|
Apache 2.2.22
Samba 3.6.3
Dear All.
I have built a new server on Ubuntu 12.04.2 LTS to use Single Sign On ( SSO ) to our varoius intranet helpdesks. ( I could not get it workign on the old SLES server so this was a new fresh build )
This is using winbind from samba and teh ntlm_auth_winbind module for apache.
Samba is connected to the domain, pulls users and groups fine.
The new server works fine,
It works fine and as expected when we limited the users from specific groups with "--require-membership-of=MYDOMAIN\\\LG-AllStaff"
then we added our second helpdesk virtual server.
This references a different AD group.
It seemed to work fine too.
However.
Every now and then we would get the login dialoug from Internet explorer, it was very random.
It's proving rather difficult to track down, however I noticed in the debug log for winbind that our test user at 15:57:41 had failed authentication due to not being a member of the group ( but it referenced the group by ID not name. )
The group it was trying to reference was for the second virtual helpdesk, however no attempt had been made to go to that second server by that user.
So
For some reason winbind/ntlm_auth is ocasionaly getting mixed up somehow.
I can't find any instances of people with a similar issue where the wrong group is being refferenced.
Anyoen a guru with winbind/ntlm?
<VirtualHost *:80>
ServerAdmin sysops@oursite.org.uk ServerName helpdesk2
ServerAlias helpdesk2.oursite.internal
ServerAlias helpdesk2
# SetEnv no-gzip 1
DocumentRoot /var/www/helpdesk
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/helpdesk/>
Options FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
NTLMauth on
AuthType NTLM
AuthName "RRFA Auth"
NTLMAuthHelper "/usr/bin/ntlm_auth --domain=MYDOMAIN.INTERNAL --require-membership-of=MYDOMAIN\\\LG-AllStaff --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
require valid-user
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access_helpdesk.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost> |
|
| Back to top |
|
twinturbo
Joined: 23 May 2013
Posts: 2
Location: UK, Carlisle
|
| Posted: Tue 04 Jun '13 10:47 Post subject: |
|
|
BUMP...
No response then?
Rob |
|
| Back to top |
|
zenmedia
Joined: 31 Oct 2013
Posts: 1
Location: england, uk
|
| Posted: Thu 31 Oct '13 12:51 Post subject: |
|
|
Hi,
I currently have am currently i'm the process of setting up a similar solution with debian.
As a result I would like to assist with trying to duplicate and resolve the issue which you are having.
Could you please confirm what version of ntlm_auth_winbind and relevant samba set-up (please ensure that any identifiable information is removed) and I will build a test case environment and try and duplicate your symptoms.
Regards
Ryan |
|
| Back to top |
|
|
|
|
|
|
