mod_ntlm2

f0s · Непрочитанное сообщение **f0s** » 2008-07-09 16:48:36

кто копенгаген. есть следующая проблема.

Имеем FBSD 6.2, Apache2, mod_ntlm2, Домен на samba3.0.25+ldap. PDС на этом же компе

вот настройка хоста:

Код: Выделить всё

[f0s@mail] //> cd /usr/local/etc/apache2/Includes/
[f0s@mail] /usr/local/etc/apache2/Includes/> cat mozilla.artpaint
<VirtualHost *:80>
ServerAdmin admin@artpaint.spb.ru
DocumentRoot /usr/home/artpaint/www/data/mozilla.artpaint/
ServerName mozilla.artpaint
SuexecUserGroup artpaint artpaint
Alias       /php-fcgi/      /usr/home/artpaint/www/cgi-bin/
ErrorLog /var/log/httpd/mozilla.artpaint-error.log
CustomLog /var/log/httpd/mozilla.artpaint-access.log combined
ScriptAlias     /moz/   /usr/home/artpaint/www/data/mozilla.artpaint/moz/
AddHandler cgi-script mozilla.config printenv test

<Directory "/usr/home/artpaint/www/data/mozilla.artpaint/moz/">
AllowOverride None
Options ExecCGI
AuthType ntlm
AuthName "ARTPAINT Server"
NTLMAuth on
NTLMAuthoritative on
NTLMDomain ARTPAINT
NTLMServer mail.artpaint
require valid-user
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
[f0s@mail] /usr/local/etc/apache2/Includes/>

Имеем следующий трабл. Когда юзер у которого нет ограничений на вход в комп пытается загрузить скрипт с mozilla.artpaint, все ок:

Код: Выделить всё

[f0s@mail] /var/log/httpd/> cat mozilla.artpaint-access.log
192.168.10.4 - - [09/Jul/2008:17:33:03 +0400] "GET /moz/mozilla.config HTTP/1.1" 401 502 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"
192.168.10.4 - - [09/Jul/2008:17:33:03 +0400] "GET /moz/mozilla.config HTTP/1.1" 401 502 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"
192.168.10.4 - sedova [09/Jul/2008:17:33:03 +0400] "GET /moz/mozilla.config HTTP/1.1" 200 6267 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"
192.168.10.4 - - [09/Jul/2008:17:33:58 +0400] "GET /moz/mozilla.config HTTP/1.1" 401 502 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"
192.168.10.4 - - [09/Jul/2008:17:33:58 +0400] "GET /moz/mozilla.config HTTP/1.1" 401 502 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"
192.168.10.4 - sedova [09/Jul/2008:17:33:58 +0400] "GET /moz/mozilla.config HTTP/1.1" 200 6267 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"
192.168.10.4 - - [09/Jul/2008:17:34:06 +0400] "GET /moz/mozilla.config HTTP/1.1" 401 502 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"
192.168.10.4 - - [09/Jul/2008:17:34:06 +0400] "GET /moz/mozilla.config HTTP/1.1" 401 502 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"
192.168.10.4 - sedova [09/Jul/2008:17:34:06 +0400] "GET /moz/mozilla.config HTTP/1.1" 200 6267 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"



[f0s@mail] /var/log/httpd/> cat mozilla.artpaint-error.log
[Wed Jul 09 17:33:03 2008] [error] [client 192.168.10.4] creating new ntlm_connection 6898096 77799
[Wed Jul 09 17:33:03 2008] [notice] [client 192.168.10.4] got auth_line "TlRMTVNTUAABAAAAB7IIoggACAAyAAAACgAKACgAAAAFAs4OAAAAD1RFUk1JTkFMMDFBUlRQQUlOVA=="
[Wed Jul 09 17:33:03 2008] [notice] [client 192.168.10.4] got header with host "TERMINAL01", domain "ARTPAINT"
[Wed Jul 09 17:33:03 2008] [error] [client 192.168.10.4] received msg1 6898096 77799
[Wed Jul 09 17:33:03 2008] [notice] [client 192.168.10.4] send WWW-Authenticate "NTLM TlRMTVNTUAACAAAAAAAAACgAAAABggAAEpFAc7C/SJ4AAAAAAAAAAA=="
[Wed Jul 09 17:33:03 2008] [notice] [client 192.168.10.4] got auth_line "TlRMTVNTUAADAAAAGAAYAHgAAAAYABgAkAAAABAAEABIAAAADAAMAFgAAAAUABQAZAAAAAAAAACoAAAABYIAAgUCzg4AAAAPQQBSAFQAUABBAEkATgBUAHMAZQBkAG8AdgBhAFQARQBSAE0ASQBOAEEATAAwADEAWOx15FPezKKLtcN9MMCrQ0Pbucd5SzrtWOx15FPezKKLtcN9MMCrQ0Pbucd5Szrt"
[Wed Jul 09 17:33:03 2008] [notice] [client 192.168.10.4] got header with host "TERMINAL01", domain "ARTPAINT"
[Wed Jul 09 17:33:03 2008] [error] [client 192.168.10.4] received msg3 6898096 77799
[Wed Jul 09 17:33:03 2008] [error] [client 192.168.10.4] authenticating user against DC 6898096 77799
[Wed Jul 09 17:33:03 2008] [error] [client 192.168.10.4] authentication OK! 6898096 77799
[Wed Jul 09 17:33:03 2008] [notice] [client 192.168.10.4] NTLM/SMB user: "ARTPAINT\\sedova": authentication OK.
[Wed Jul 09 17:33:58 2008] [error] [client 192.168.10.4] creating new ntlm_connection 6898096 77800
[Wed Jul 09 17:33:58 2008] [notice] [client 192.168.10.4] got auth_line "TlRMTVNTUAABAAAAB7IIoggACAAyAAAACgAKACgAAAAFAs4OAAAAD1RFUk1JTkFMMDFBUlRQQUlOVA=="
[Wed Jul 09 17:33:58 2008] [notice] [client 192.168.10.4] got header with host "TERMINAL01", domain "ARTPAINT"
[Wed Jul 09 17:33:58 2008] [error] [client 192.168.10.4] received msg1 6898096 77800
[Wed Jul 09 17:33:58 2008] [notice] [client 192.168.10.4] send WWW-Authenticate "NTLM TlRMTVNTUAACAAAAAAAAACgAAAABggAAnhY6NfTib5sAAAAAAAAAAA=="
[Wed Jul 09 17:33:58 2008] [notice] [client 192.168.10.4] got auth_line "TlRMTVNTUAADAAAAGAAYAHgAAAAYABgAkAAAABAAEABIAAAADAAMAFgAAAAUABQAZAAAAAAAAACoAAAABYIAAgUCzg4AAAAPQQBSAFQAUABBAEkATgBUAHMAZQBkAG8AdgBhAFQARQBSAE0ASQBOAEEATAAwADEAlFVHR8GtcuNm3YYnlUv5wQw+zeZ9UCr3lFVHR8GtcuNm3YYnlUv5wQw+zeZ9UCr3"
[Wed Jul 09 17:33:58 2008] [notice] [client 192.168.10.4] got header with host "TERMINAL01", domain "ARTPAINT"
[Wed Jul 09 17:33:58 2008] [error] [client 192.168.10.4] received msg3 6898096 77800
[Wed Jul 09 17:33:58 2008] [error] [client 192.168.10.4] authenticating user against DC 6898096 77800
[Wed Jul 09 17:33:58 2008] [error] [client 192.168.10.4] authentication OK! 6898096 77800
[Wed Jul 09 17:33:58 2008] [notice] [client 192.168.10.4] NTLM/SMB user: "ARTPAINT\\sedova": authentication OK.
[Wed Jul 09 17:34:06 2008] [error] [client 192.168.10.4] creating new ntlm_connection 6898096 77801
[Wed Jul 09 17:34:06 2008] [notice] [client 192.168.10.4] got auth_line "TlRMTVNTUAABAAAAB7IIoggACAAyAAAACgAKACgAAAAFAs4OAAAAD1RFUk1JTkFMMDFBUlRQQUlOVA=="
[Wed Jul 09 17:34:06 2008] [notice] [client 192.168.10.4] got header with host "TERMINAL01", domain "ARTPAINT"
[Wed Jul 09 17:34:06 2008] [error] [client 192.168.10.4] received msg1 6898096 77801
[Wed Jul 09 17:34:06 2008] [notice] [client 192.168.10.4] send WWW-Authenticate "NTLM TlRMTVNTUAACAAAAAAAAACgAAAABggAAWYCU3xcsbfkAAAAAAAAAAA=="
[Wed Jul 09 17:34:06 2008] [notice] [client 192.168.10.4] got auth_line "TlRMTVNTUAADAAAAGAAYAHgAAAAYABgAkAAAABAAEABIAAAADAAMAFgAAAAUABQAZAAAAAAAAACoAAAABYIAAgUCzg4AAAAPQQBSAFQAUABBAEkATgBUAHMAZQBkAG8AdgBhAFQARQBSAE0ASQBOAEEATAAwADEAVPUx5AnbeAUvAXZp0vC0LBv1zf0ia33GVPUx5AnbeAUvAXZp0vC0LBv1zf0ia33G"
[Wed Jul 09 17:34:06 2008] [notice] [client 192.168.10.4] got header with host "TERMINAL01", domain "ARTPAINT"
[Wed Jul 09 17:34:06 2008] [error] [client 192.168.10.4] received msg3 6898096 77801
[Wed Jul 09 17:34:06 2008] [error] [client 192.168.10.4] authenticating user against DC 6898096 77801
[Wed Jul 09 17:34:06 2008] [error] [client 192.168.10.4] authentication OK! 6898096 77801
[Wed Jul 09 17:34:06 2008] [notice] [client 192.168.10.4] NTLM/SMB user: "ARTPAINT\\sedova": authentication OK.

А если же этому юзеру выставить ограничение (ограничение на логин к определенной станции).. то есть входить в домен он может только на terminal01 (параметр: sambaUserWorkstations: terminal01), то имеем следующий трабл.. авторизация не проходит:

Код: Выделить всё

[f0s@mail] /var/log/httpd/> cat mozilla.artpaint-access.log
192.168.10.4 - - [09/Jul/2008:17:37:45 +0400] "GET /moz/mozilla.config HTTP/1.1" 401 502 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"
192.168.10.4 - - [09/Jul/2008:17:37:45 +0400] "GET /moz/mozilla.config HTTP/1.1" 401 502 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"
192.168.10.4 - - [09/Jul/2008:17:37:46 +0400] "GET /moz/mozilla.config HTTP/1.1" 401 502 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"


[f0s@mail] /var/log/httpd/> cat mozilla.artpaint-error.log
[Wed Jul 09 17:37:45 2008] [error] [client 192.168.10.4] creating new ntlm_connection 6898096 77894
[Wed Jul 09 17:37:45 2008] [notice] [client 192.168.10.4] got auth_line "TlRMTVNTUAABAAAAB7IIoggACAAyAAAACgAKACgAAAAFAs4OAAAAD1RFUk1JTkFMMDFBUlRQQUlOVA=="
[Wed Jul 09 17:37:45 2008] [notice] [client 192.168.10.4] got header with host "TERMINAL01", domain "ARTPAINT"
[Wed Jul 09 17:37:45 2008] [error] [client 192.168.10.4] received msg1 6898096 77894
[Wed Jul 09 17:37:45 2008] [notice] [client 192.168.10.4] send WWW-Authenticate "NTLM TlRMTVNTUAACAAAAAAAAACgAAAABggAAkikK6YJ+zioAAAAAAAAAAA=="
[Wed Jul 09 17:37:46 2008] [notice] [client 192.168.10.4] got auth_line "TlRMTVNTUAADAAAAGAAYAHgAAAAYABgAkAAAABAAEABIAAAADAAMAFgAAAAUABQAZAAAAAAAAACoAAAABYIAAgUCzg4AAAAPQQBSAFQAUABBAEkATgBUAHMAZQBkAG8AdgBhAFQARQBSAE0ASQBOAEEATAAwADEAm+LV26vn/4CVsdy5hF4hc02p9E5A9SP7m+LV26vn/4CVsdy5hF4hc02p9E5A9SP7"
[Wed Jul 09 17:37:46 2008] [notice] [client 192.168.10.4] got header with host "TERMINAL01", domain "ARTPAINT"
[Wed Jul 09 17:37:46 2008] [error] [client 192.168.10.4] received msg3 6898096 77894
[Wed Jul 09 17:37:46 2008] [error] [client 192.168.10.4] authenticating user against DC 6898096 77894
[Wed Jul 09 17:37:46 2008] [error] [client 192.168.10.4] NTLM/SMB user "sedova": authentication failure for "/moz/mozilla.config"

кто знает, в чем может быть трабл?

Хостинг HostFood.ru · **Хостинг HostFood.ru**

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

f0s · Непрочитанное сообщение **f0s** » 2008-07-09 16:57:13

кстати, в догонку, только сейчас заметил. если стоит эта опция, то еще и wbinfo не работает на других fbsd компах

Код: Выделить всё

[f0s@router] /root/bin/> wbinfo -a suchkova%password
plaintext password authentication failed
error code was NT_STATUS_INVALID_WORKSTATION (0xc0000070)
error messsage was: Invalid workstation
Could not authenticate user suchkova%expSN with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_INVALID_WORKSTATION (0xc0000070)
error messsage was: Invalid workstation
Could not authenticate user suchkova with challenge/response

если добавить в опции разрешение на логин на станцию router (это где сквид стоит), то все ок:

Код: Выделить всё

[f0s@router] /root/bin/> wbinfo -a suchkova%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

а так инет работает (с тачки на которую разрешен логон: terminal01)

Alex Keda

по сабжу - ничё не скажу...
а вообще - у тя всегда интеерсные и нестандартные проблемы...
аж завидно =(

f0s · Непрочитанное сообщение **f0s** » 2008-07-10 11:49:31

да уж.. везет мне на гемор всякий

) придумаю себе всяких сложностей, потом разбираюсь..

в общем заменил модуль mod_ntlm2 на перловый. сделал так:

скачал вот эту тему: http://search.cpan.org/CPAN/authors/id/ ... .02.tar.gz

чуток изменил конфиг:

Код: Выделить всё

[f0s@mail] /var/log/httpd/> cat /usr/local/etc/apache2/Includes/mozilla.artpaint
<VirtualHost *:80>
ServerAdmin admin@artpaint.spb.ru
DocumentRoot /usr/home/artpaint/www/data/mozilla.artpaint/
ServerName mozilla.artpaint
SuexecUserGroup artpaint artpaint
Alias       /php-fcgi/      /usr/home/artpaint/www/cgi-bin/
ErrorLog /var/log/httpd/mozilla.artpaint-error.log
CustomLog /var/log/httpd/mozilla.artpaint-access.log combined
ScriptAlias     /moz/   /usr/home/artpaint/www/data/mozilla.artpaint/moz/
AddHandler cgi-script mozilla.config

<Directory "/usr/home/artpaint/www/data/mozilla.artpaint/moz/">
AllowOverride None
Options ExecCGI
PerlAuthenHandler Apache2::AuthenNTLM
AuthType ntlm,basic
AuthName "ARTPAINT Server"
PerlAddVar ntdomain  "ARTPAINT mail"
PerlSetVar defaultdomain ARTPAINT
PerlSetVar splitdomainprefix 1
PerlSetVar ntlmdebug 0
PerlSetVar ntlmauthoritative off
require valid-user
Order allow,deny
Allow from all
</Directory>
</VirtualHost>

закоментил mod_ntlm2, перезапустил апач.

теперь также, не рботает, но логи немного другие.

1) юзер без ограничений (седова)

Код: Выделить всё

192.168.10.4 - - [10/Jul/2008:12:36:26 +0400] "GET /moz/mozilla.config HTTP/1.1" 401 529 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"
192.168.10.4 - - [10/Jul/2008:12:36:26 +0400] "GET /moz/mozilla.config HTTP/1.1" 401 529 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"
192.168.10.4 - sedova [10/Jul/2008:12:36:26 +0400] "GET /moz/mozilla.config HTTP/1.1" 200 6267 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"
192.168.10.4 - - [10/Jul/2008:12:36:34 +0400] "GET /moz/mozilla.config HTTP/1.1" 401 529 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"
192.168.10.4 - - [10/Jul/2008:12:36:34 +0400] "GET /moz/mozilla.config HTTP/1.1" 401 529 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"
192.168.10.4 - sedova [10/Jul/2008:12:36:34 +0400] "GET /moz/mozilla.config HTTP/1.1" 200 6267 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"

2) юзер с ограничениями на логин станцию (сучкова)

Код: Выделить всё

192.168.10.4 - - [10/Jul/2008:12:37:13 +0400] "GET /moz/mozilla.config HTTP/1.1" 401 529 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"
192.168.10.4 - - [10/Jul/2008:12:37:13 +0400] "GET /moz/mozilla.config HTTP/1.1" 401 529 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"
192.168.10.4 - - [10/Jul/2008:12:37:13 +0400] "GET /moz/mozilla.config HTTP/1.1" 500 669 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"
192.168.10.4 - - [10/Jul/2008:12:37:22 +0400] "GET /moz/mozilla.config HTTP/1.1" 401 529 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"
192.168.10.4 - - [10/Jul/2008:12:37:22 +0400] "GET /moz/mozilla.config HTTP/1.1" 401 529 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"
192.168.10.4 - - [10/Jul/2008:12:37:22 +0400] "GET /moz/mozilla.config HTTP/1.1" 500 669 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru-RU; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9"

из лога видно что после 401 (нужна авторищзация) поулчаем 500.
вот логин error.log:

Код: Выделить всё


[Thu Jul 10 12:36:26 2008] [error] Bad/Missing NTLM/Basic Authorization Header for /moz/mozilla.config
[Thu Jul 10 12:36:34 2008] [error] Bad/Missing NTLM/Basic Authorization Header for /moz/mozilla.config
[Thu Jul 10 12:37:13 2008] [error] Bad/Missing NTLM/Basic Authorization Header for /moz/mozilla.config
[Thu Jul 10 12:37:14 2008] [error] Wrong password/user (rc=3/1/146800642): ARTPAINT\\suchkova for /moz/mozilla.config
[Thu Jul 10 12:37:14 2008] [crit] [client 192.168.10.4] configuration error:  couldn't check user.  No user file?: /moz/mozilla.config
[Thu Jul 10 12:37:22 2008] [error] Bad/Missing NTLM/Basic Authorization Header for /moz/mozilla.config
[Thu Jul 10 12:37:22 2008] [error] Wrong password/user (rc=3/1/146800642): ARTPAINT\\suchkova for /moz/mozilla.config
[Thu Jul 10 12:37:22 2008] [crit] [client 192.168.10.4] configuration error:  couldn't check user.  No user file?: /moz/mozilla.config

то есть почему-то перестает распознаваться пароль юзера... может тут какая-то загвоздка с самбой?..

Alex Keda

http://forum.lissyara.su/viewtopic.php?f=3&t=9537
это помучай. конфиг могу вывалить

forum.lissyara.su

mod_ntlm2

mod_ntlm2

Услуги хостинговой компании Host-Food.ru

Re: mod_ntlm2

Re: mod_ntlm2

Re: mod_ntlm2

Re: mod_ntlm2