View Full Version : "Access Denied" error when attempting AD SSO
01-28-2009, 01:37 AM
I was attempting to get deki configured for Single Sign On with a SBS2003 Active Directory domain, following the details on http://wiki.developer.mindtouch.com/MindTouch_Deki/FAQ/User_Management/How_do_I...enable_single_sign_on_with_Active_Direc tory%3f. Deki is running on Ubuntu 8.04.2. I have setup both local and domain logins for deki and the deki domain login is working fine. When I added the htaccess file and attempted to connect with InternetExplorer 8, i got a 500 error. The following error appeared in the apache error log (login details modified):
[2009/01/28 13:20:20, 0] utils/ntlm_auth.c:winbind_pw_check(515)
Login for user [DOMAIN]\[USER]@[COMPUTERNAME] failed due to [Access denied]
[2009/01/28 13:20:20, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(776)
NTLMSSP BH: NT_STATUS_ACCESS_DENIED
If I remove the htaccess file, then i can login manually with a domain user login.
What is missing from my setup to get SSO going properly?
Are you joined to the domain OK? Can you run wbinfo -t and get a token? Can you get a user list with wbinfo -u?
01-28-2009, 09:18 PM
I joined this machine to the domain using the "likewise-open" tool. I can get a list of users with "wbinfo -u".
This is the output from "wbinfo -t":
$ wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
Could not check secret
I'm not sure what that message is telling me.
Start by restarting Winbind. Check your server time is the same on both machines.
client schannel = no
in your smb.conf?
Ensure that the account for your Deki server exists in your AD...
Otherwise, this is nothing specific to Deki; google for generic Linux solutions.
01-29-2009, 04:37 AM
I noticed that likewise-open provides an equivalent program to wbinfo, 'lwiinfo'. Running this program, the token check works fine and i can list the domain users/groups. Would using likewise-open be incompatible with libapache2-mod-auth-ntlm-winbind that i downloaded from http://wiki.developer.mindtouch.com/MindTouch_Deki/FAQ/User_Management/How_do_I...enable_single_sign_on_with_Active_Direc tory%3f?
If it's not using a winbind-compatible implementation, perhaps. I believe Likewise is just a thin management layer around Samba though (and the primary tech guy there is Jerry Carter from Samba).
Ask on the Likewise mailing list to see if you expect the Apache module to work, or if they have any suggestions, and let us know the outcome.
01-29-2009, 09:36 PM
It appears that Likewise is based on winbind, so im guessing the NTLM module should work. I had to install the debian .deb on Ubuntu 8.04 since the Ubuntu deb had invalid dependencies. Now after adding the htaccess file, when I view the wiki it pops up the browser password dialog which fails to accept a valid domain username/password. Do you have any ideas on this before I ask on the likewise mailing list?
You should fix winbind on the server before caring about Apache...
01-29-2009, 10:24 PM
As far as I can tell, winbind is operating correctly. I can login to the the machine with domain accounts, and the lwiinfo program (likewise version of wbinfo) returns valid information for all queries.
01-29-2009, 10:58 PM
I noticed that there is a package available for libapache2-mod-auth-kerb. I might try getting SSO going with kerberos auth instead of NTLM.
Powered by vBulletin™ Version 4.1.3 Copyright © 2013 vBulletin Solutions, Inc. All rights reserved.