Authentication

 
 
Picture of stefano bonacina
NTLM SSO not working
 

Hello all

I'm writing to kindly ask for help.

I need to let my Active Directory users connect directly to Moodle without supplying username and password.

After reading many topics concerning the NTLM SSO setup for moodle and related issues, I'm stil stuck on my problem.

I have a Linux Debian with moodle version '2.3.1+ (Build: 20120726)'

My LDAP server is running on a Windows 2003 server.

I followed carefully the instructions found in the Moodle docs page "NTLM authentication" (http://docs.moodle.org/24/en/NTLM_authentication)

My web server is Apache/2.2.16 

I followed what is explained in the section "Using the NTLM part of Samba for Apache on Linux": succesfully compiled mod_auth_ntlm_winbind using the given instructions, inserted the module reference in the apache conf file.

The winbind was already installed: here is the smb.conf

[global]
workgroup = ADVANCTION
realm = ADVANCTION.COM
server string = %h
netbios name = lms
security = ads
encrypt passwords = true
password server = *
obey pam restrictions = yes
preferred master = no
# printcap name = cups
disable spoolss = Yes
show add printer wizard = No
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind use default domain = Yes
template shell = /bin/bash
use sendfile = Yes
# printing = cups
winbind offline logon = yes
winbind refresh tickets = yes
winbind enum users = yes
winbind enum groups = yes
auth methods = winbind

As you can see, the security directive is different from the one suggested in that page, because security = domain didn't work.

I did a

 # net join DOMAINNAME -S DCSERVER -U Administrator

 with the proper parameters, and it works.

I already have security = ads and it works fine: when I do a 

wbinfo -u

I get the correct user list like this one:

root@moodle /etc/samba# wbinfo -u
LMS\nobody
LMS\moodle
administrator
guest
support_388945a0
iusr_webs-ucfc2i2lq0
iwam_webs-ucfc2i2lq0
aspnet
websense
krbtgt
stefano
silver
999
giorgio
sergio
adm
ldapuser

The apache2.conf has been modified as suggested: just coped and pasted the ntlmsso_magic.php lines, because I have a standard moodle installation under /var/www/moodle

I checked the permissions of the Winbind pipe directory and added www-data to the winbindd_priv group

Needles to say the apache server has been restarted and also samba and winbind have been.

I already setup the ldap integration in /admin/auth_config.php?auth=ldap and I'm able to connect using an Active Directory user, via the login page where I need to input username and password.

When I try to connect via an Internet Explorer I see a page saying:

Attempting Single Sign On via NTLM...

And then:

Auto-login failed, try the normal login page...

I then put the following  script (found here https://moodle.org/mod/forum/discuss.php?d=219356) to test the $_SERVER['REMOTE_USER'] existence, and I get the NTLM is not working.

<?php
if (isset($_SERVER['REMOTE_USER']) && !empty($_SERVER['REMOTE_USER'])) {
    echo "<p>NTLM authentication seems to be working. User: " . $_SERVER['REMOTE_USER'] . "</p>";
} else {
    echo '<p>NTLM is not working</p>';
}
?>

Just to bs sure, I made a php to print the content of the $_SERVER variable. Here it is:

[HTTP_ACCEPT] => */*
[HTTP_ACCEPT_LANGUAGE] => en-us
[HTTP_UA_CPU] => x86
[HTTP_ACCEPT_ENCODING] => gzip, deflate
[HTTP_USER_AGENT] => Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[HTTP_HOST] => lms
[HTTP_CONNECTION] => Keep-Alive
[HTTP_COOKIE] => MoodleSession=u0ornari5td2dk95j7vntavrl0
[PATH] => /usr/local/bin:/usr/bin:/bin
[SERVER_SIGNATURE] => <address>Apache/2.2.16 (Debian) Server at lms Port 80</address>
[SERVER_SOFTWARE] => Apache/2.2.16 (Debian)
[SERVER_NAME] => lms
[SERVER_ADDR] => 192.168.1.135
[SERVER_PORT] => 80
[REMOTE_ADDR] => 192.168.1.202
[DOCUMENT_ROOT] => /var/www/moodle/
[SERVER_ADMIN] => webmaster@localhost
[SCRIPT_FILENAME] => /var/www/moodle/test/test_server.php
[REMOTE_PORT] => 1793
[GATEWAY_INTERFACE] => CGI/1.1
[SERVER_PROTOCOL] => HTTP/1.1
[REQUEST_METHOD] => GET
[QUERY_STRING] =>
[REQUEST_URI] => /test/test_server.php
[SCRIPT_NAME] => /test/test_server.php
[PHP_SELF] => /test/test_server.php
[REQUEST_TIME] => 1359990431

No REMOTE_USER there.

The Internet Explorer I'm using has the security feature "Enable Integrated Windows Authentication" checked.

Also, Internet Explorer has the website in the Intranet webzone sites. To be sure I also added it in the Trusted sites, even if there shouldn't be any need to do this because the site is reachable via an Intranet URL such as: http://lms/

 

What am I doing wrong?

Does anybody can help me getting out from this situation?

Thanks in advance for your help

Best regards

stefano

 
Average of ratings: -
Picture of stefano bonacina
Re: NTLM SSO not working
 

I setup Apache LogLevel to debug.

This is the output I get (I removed som ssl and deflate related stuff).

[Mon Feb 04 15:46:52 2013] [error] [client 192.168.1.202] PHP Notice: You should really redirect before you start page output<ul style="text-align: left"><li>line 666 of /lib/outputrenderers.php: call to debugging()</li><li>line 2487 of /lib/weblib.php: call to core_renderer->redirect_message()</li><li>line 41 of /auth/ldap/ntlmsso_attempt.php: call to redirect()</li></ul> in /var/www/moodle/lib/weblib.php on line 2865

[Mon Feb 04 15:46:52 2013] [debug] mod_auth_ntlm_winbind.c(1019): [client 192.168.1.202] doing ntlm auth dance, referer: http://lms/auth/ldap/ntlmsso_attempt.php

[Mon Feb 04 15:46:52 2013] [debug] mod_auth_ntlm_winbind.c(483): [client 192.168.1.202] Launched ntlm_helper, pid 16713, referer: http://lms/auth/ldap/ntlmsso_attempt.php

[Mon Feb 04 15:46:52 2013] [debug] mod_auth_ntlm_winbind.c(653): [client 192.168.1.202] creating auth user, referer: http://lms/auth/ldap/ntlmsso_attempt.php

[Mon Feb 04 15:46:52 2013] [debug] mod_auth_ntlm_winbind.c(704): [client 192.168.1.202] parsing reply from helper to YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==\n, referer: http://lms/auth/ldap/ntlmsso_attempt.php

[Mon Feb 04 15:46:55 2013] [error] [client 192.168.1.202] PHP Notice: Undefined index: defaultregion in /var/www/moodle/lib/outputlib.php on line 1228

[Mon Feb 04 15:46:56 2013] [error] [client 192.168.1.202] PHP Notice: You should really redirect before you start page output<ul style="text-align: left"><li>line 666 of /lib/outputrenderers.php: call to debugging()</li><li>line 2487 of /lib/weblib.php: call to core_renderer->redirect_message()</li><li>line 36 of /auth/ldap/ntlmsso_finish.php: call to redirect()</li></ul> in /var/www/moodle/lib/weblib.php on line 2865

[Mon Feb 04 15:47:02 2013] [debug] mod_auth_ntlm_winbind.c(742): [client 192.168.1.202] got response: TT TlRMTVNTUAACAAAAFAAUADAAAAAFgomiBNwuGy6XTO0AAAAAAAAAAG4AbgBEAAAAQQBEAFYAQQBOAEMAVABJAE8ATgACABQAQQBEAFYAQQBOAEMAVABJAE8ATgABAAYATABNAFMABAAcAGEAZAB2AGEAbgBjAHQAaQBvAG4ALgBjAG8AbQADACQAbABtAHMALgBhAGQAdgBhAG4AYwB0AGkAbwBuAC4AYwBvAG0AAAAAAA==, referer: http://lms/auth/ldap/ntlmsso_attempt.php

[Mon Feb 04 15:47:02 2013] [debug] mod_auth_ntlm_winbind.c(412): [client 192.168.1.202] sending back TlRMTVNTUAACAAAAFAAUADAAAAAFgomiBNwuGy6XTO0AAAAAAAAAAG4AbgBEAAAAQQBEAFYAQQBOAEMAVABJAE8ATgACABQAQQBEAFYAQQBOAEMAVABJAE8ATgABAAYATABNAFMABAAcAGEAZAB2AGEAbgBjAHQAaQBvAG4ALgBjAG8AbQADACQAbABtAHMALgBhAGQAdgBhAG4AYwB0AGkAbwBuAC4AYwBvAG0AAAAAAA==, referer: http://lms/auth/ldap/ntlmsso_attempt.php

[Mon Feb 04 15:47:02 2013] [info] [client 192.168.1.202] (104)Connection reset by peer: core_output_filter: writing data to the network

 
Average of ratings: -
Picture of Iñaki Arenaza
Re: NTLM SSO not working
Group DevelopersGroup Documentation writersGroup Particularly helpful Moodlers

winbind use default domain = Yes

This is probably part of the problem. By default, Moodle expects a "domain-qualified" user name. I.e., it expects something like domainmame\username. If you strip the domainname part (that is what the above setting does) Moodle will have trouble authenticating your user.

If you are using Moodle 2.4 or above, you can configure this behaviour as you can specify the format of the username the web server is handing to Moodle (it's the 'Remote username format' LDAP setting). If you are using an earlier version, then you either need to configure samba+winbind to provide the "domain-qualified" user name through the web server, or to change Moodle code to deal with the format samba+winbind is sending to Moodle.

I then put the following script (found here https://moodle.org/mod/forum/discuss.php?d=219356) to test the $_SERVER['REMOTE_USER'] existence, and I get the NTLM is not working.

In order for that script to actuall work, you need to configure the web server to ask for client authentication, just like you did for ntlmsso_magic.php. Otherwise the server won't ask the client to authenticate itself, and won't set the 'REMOTE_USER' value in the $_SERVER variable.

PHP Notice: You should really redirect before you start page output

This is from your second post with the Apache logs, but I thought I would address it here too. Make sure you don't set 'display debug information messages' in the debugging settings. If you do, you risk breaking all the redirects that the NTLM SSO machinery needs. And you definitely don't need PHP notices in a production environment, unless you are debugging some issues wink

Saludos. Iñaki.

 
Average of ratings:Useful (1)
Picture of stefano bonacina
Re: NTLM SSO not working
 

Thanks Iñaki

you got the solution.

I removed that line (winbind use default domain = Yes)  from smb.conf and now the NTLM authwntication works great!

Thanks so much for your prompt advise.

Now there's one more happier moodle admin here.

Saludos. stefano

 
Average of ratings: -