1

I have Request Tracker setup on a Ubuntu 12.04 server. It is configured to authenticate against active directory through winbind.

Here's the relevant portion of the apache2 configuration:

    AuthType NTLM
    AuthType Negotiate
    AuthName "Request Tracker"
    NTLMAuth on
    NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
    NegotiateAuth on
    NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego"

Request tracker matches the username apache authenticated against it's own users and logs them in automatically. The site is in Internet Explorer's intranet zone, so it automatically logs people in. It works perfectly for most people. In the apache access logs, it shows the username of the person who logged in for each request.

But from two of our computers, Request Tracker can't match the username to an account. And looking at the Apache logs, its obvious why - when trying to login from that computer, the username Apache records is DOMAIN\\username, not just username.

Apache authenticated them just fine - but with the unexpectedly formatted username.

It doesn't matter who logs in from those computers, the login gets recorded as DOMAIN\\username.

As far as I can tell, the problem computers don't have anything unique about them. They were deployed from the same image, have the same group policies, same windows updates, same IE version (9) as working ones.

What could cause the difference in the way the username is formatted?

Edit: since it may be related to samba, here is the relevant portion of smb.conf:

[global]
security = ads
realm = STLEONARDS.LOCAL
password server = *
workgroup = STLEONARDS
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = true
winbind use default domain = yes
restrict anonymous = 2
valid users = @"Domain Users"
idmap uid = 70000-100000
idmap gid = 70000-100000

I tried changing winbind use default domain to no, but that didn't make any difference.

Grant
  • 17,859
  • 14
  • 72
  • 103
  • I'm not really sure about it, but maybe it's samba adding domain to the username? Could you then try 'winbind use default domain = no' in /etc/samba/smb.conf? This, however, could be DANGEROUS and block users from logging into Samba. – Andrey Sapegin Feb 20 '14 at 15:43
  • @AndreySapegin worth a try, though I'll have to wait until after hours to test it. I'm not sure that's the case though - if it were the server adding the domain, it would do it for all clients, not just 2 of them, wouldn't it? – Grant Feb 20 '14 at 16:07
  • @AndreySapegin tried it, made no difference. – Grant Feb 21 '14 at 17:11

1 Answers1

0

It appears the issue was with the Negotiate authentication option. Removing the 3 lines for negotiate made all users able to login, and the webserver logs show the bare username.

I don't know why some computers chose NTLM and some not. But with just NTLM authentication everything works smoothly.

Grant
  • 17,859
  • 14
  • 72
  • 103