ntlm_auth reports Broken Helper: BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL

Bug #1304953 reported by danbuntu on 2014-04-09
28
This bug affects 5 people
Affects Status Importance Assigned to Milestone
apache-mod-auth-ntlm-winbind (Ubuntu)
Undecided
Unassigned

Bug Description

I have ntlm_auth_winbind installed on a 14.04 server.
I've set up in much the same way as my 12.04 server

I've checked joined the 14.0.4 to my windows domain and testing this with wbinfo.
I have the following in my vhost:

     <Directory /var/www/wiki>
               NTLMAuth on
               AuthType NTLM
               AuthName "Wiki NTLM Authentication"
               NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
               NTLMBasicAuthoritative on
               require valid-user
    </Directory>

When go to the server in firefox it prompts me for the username and password as expected but then shows an internal server error. In the error logs for the site I can see:

[Wed Apr 09 10:52:52.910472 2014] [auth_ntlm_winbind:error] [pid 16040] (20014)Internal error: [client 10.0.150.60:56129] ntlm_auth reports Broken Helper: BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apache-mod-auth-ntlm-winbind (Ubuntu):
status: New → Confirmed
Alex (d-f0rce) wrote :

To fix this:

$ usermod -a -G winbindd_priv www-data
$ chgrp winbindd_priv /var/lib/samba/winbindd_privileged
$ ln -s /var/lib/samba/winbindd_privileged/pipe /var/run/samba/winbindd_privileged/pipe

The Apache module expects the winbindd pipe socket to be found in /var/run/samba/winbindd_privileged/. The new location of the file however seems to be /var/lib/samba/winbindd_privileged/.

Olly Betts (ojwb) wrote :

The problem doesn't seem to be in apache-mod-auth-ntlm-winbind - there are no relevant matches for "pipe" in either the source code of the package or in the output of "strings /usr/lib/apache2/modules/mod_auth_ntlm_winbind.so".

This module is really just glue code for apache - it uses the /usr/bin/ntlm_auth helper in the winbind package to do the actual authentication, so I would suggest looking there.

(Although I'm the maintainer of this package in Debian, I no longer have access to a suitable environment to test it in - we were using it in a client project, but switched to kerberos auth a while back).

danbuntu (danattwood) wrote :

I used the method listed by Alex on a few servers now and can confirm that it works

Marco Bettio (marco-bettio) wrote :

I have the same problem authenticating users with ntlm_auth and squid3.
I confirm that the method described works also for fixing also in this case.
Thanks Alex

I can also confirm, Ubuntu 14.04 Server and squid3 3.3.8 and auto-authenticate users with ntlm now. First command was "usermod -a -G winbindd_priv proxy".
Thank you Alex.

denix (denics) wrote :

Hi all,
I confirm the problem still exists in Ubuntu 14.04.3 and method in # solve the issue (at least in my case): Apache 2.4 with auth_ntlm_winbind .

Thanks Alex.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers