Ubuntu
apache-mod-auth-ntlm-winbind package

ntlm_auth reports Broken Helper: BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL

Bug #1304953 reported by danbuntu
28
This bug affects 5 people
Affects Status Importance Assigned to Milestone
apache-mod-auth-ntlm-winbind (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

I have ntlm_auth_winbind installed on a 14.04 server.
I've set up in much the same way as my 12.04 server

I've checked joined the 14.0.4 to my windows domain and testing this with wbinfo.
I have the following in my vhost:

     <Directory /var/www/wiki>
               NTLMAuth on
               AuthType NTLM
               AuthName "Wiki NTLM Authentication"
               NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
               NTLMBasicAuthoritative on
               require valid-user
    </Directory>

When go to the server in firefox it prompts me for the username and password as expected but then shows an internal server error. In the error logs for the site I can see:

[Wed Apr 09 10:52:52.910472 2014] [auth_ntlm_winbind:error] [pid 16040] (20014)Internal error: [client 10.0.150.60:56129] ntlm_auth reports Broken Helper: BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apache-mod-auth-ntlm-winbind (Ubuntu):
status: New → Confirmed
Revision history for this message
Alex (d-f0rce) wrote :

To fix this:

$ usermod -a -G winbindd_priv www-data
$ chgrp winbindd_priv /var/lib/samba/winbindd_privileged
$ ln -s /var/lib/samba/winbindd_privileged/pipe /var/run/samba/winbindd_privileged/pipe

The Apache module expects the winbindd pipe socket to be found in /var/run/samba/winbindd_privileged/. The new location of the file however seems to be /var/lib/samba/winbindd_privileged/.

Revision history for this message
Olly Betts (ojwb) wrote :

The problem doesn't seem to be in apache-mod-auth-ntlm-winbind - there are no relevant matches for "pipe" in either the source code of the package or in the output of "strings /usr/lib/apache2/modules/mod_auth_ntlm_winbind.so".

This module is really just glue code for apache - it uses the /usr/bin/ntlm_auth helper in the winbind package to do the actual authentication, so I would suggest looking there.

(Although I'm the maintainer of this package in Debian, I no longer have access to a suitable environment to test it in - we were using it in a client project, but switched to kerberos auth a while back).

Revision history for this message
danbuntu (danattwood) wrote :

I used the method listed by Alex on a few servers now and can confirm that it works

Revision history for this message
Marco Bettio (marco-bettio) wrote :

I have the same problem authenticating users with ntlm_auth and squid3.
I confirm that the method described works also for fixing also in this case.
Thanks Alex

Revision history for this message
Circa Lucid (1-launchpad-kitik1-com) wrote :

I can also confirm, Ubuntu 14.04 Server and squid3 3.3.8 and auto-authenticate users with ntlm now. First command was "usermod -a -G winbindd_priv proxy".
Thank you Alex.

Revision history for this message
denix (denics) wrote :

Hi all,
I confirm the problem still exists in Ubuntu 14.04.3 and method in # solve the issue (at least in my case): Apache 2.4 with auth_ntlm_winbind .

Thanks Alex.

Revision history for this message
Olly Betts (ojwb) wrote :

Package was removed after xenial, so closing ("Fix released" seems the least inappropriate resolution of the options available).

Changed in apache-mod-auth-ntlm-winbind (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.