You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Vsevolod Ilyushchenko <si...@cshl.org> on 2000/09/12 00:08:58 UTC

Authenticating twice with Apache::AuthenSmb

Hello,

I have a small glitch with Smb authentication in apache. Basically, if I have 
a frames page in the protected directory, the server asks for the password twice.

Here is what happens. I have a directory "test" under htdocs which is protected by SMB authentication. The index file in this directory has two frames called "left" and "right". When I access the index file, I get the first password dialog. Then, obsevring the traffic, I see that the browser requests the left and right frames, and even though it sends the proper authentication string, it gets a 401 error for one of the two frames. So I get the authentication dialog the second time.

This is not the known apache feature related to the different server names. If I change the authentication to regular password, the problem disappears. Also, I have apache 1.3.12 with mod_perl 1.24. When I tried the same SMB authentication on apache 1.3.9 with mod_perl 1.21, I did not run into this problem. The modules I use are Apache-AuthenSmb-0.60 and Authen-Smb-0.91. 

I have obsverved the authentication process (by inserting a printf() in AuthenSmb.pm) and found that the web server goes to validate the password on the NT server only once, during the first request. 

Any ideas?

TIA,
Simon
-- 
 _________    
|       x |   Simon (Vsevolod ILyushchenko)     simonf@cshl.org   
| y = e   |                                    
|_________|   http://www.simonf.com            simonf@simonf.com 	                    
                                             
				Disclaimer: This is not me.                    
			This is just my mailer talking to your mailer...

Re: Authenticating twice with Apache::AuthenSmb

Posted by Matt Sergeant <ma...@sergeant.org>.
On Mon, 11 Sep 2000, Joshua Gerth wrote:

> I submitted this patch to the Authen::Smb over a year ago and got an
> immediate response that he got the fix and would shortly provide an update.
> Since then he has either been unable or unwilling to return any of my
> other attempts to contact him and he has not (last I checked) produced a
> patched copy of Authen::Smb.  I even respectively offered to take over the
> ownership of the Authen::Smb module which also received no answer.  
> 
> I think Randal and others high in the Perl community listen to this list.
> What would they suggest I do?  I could patch the code and release it under
> a different name but I am concerned that might cause more confusion that
> its worth.

First ask modules@perl.org, if you get no response from them and still no
response from the author, why not release an Authen::NTDomain ? This fits
in with the AL (released under a different name).

-- 
<Matt/>

Fastnet Software Ltd. High Performance Web Specialists
Providing mod_perl, XML, Sybase and Oracle solutions
Email for training and consultancy availability.
http://sergeant.org | AxKit: http://axkit.org

Re: Authenticating twice with Apache::AuthenSmb

Posted by Joshua Gerth <jg...@ptdcs2.ra.intel.com>.
Hi Vsevolod,

> I have a small glitch with Smb authentication in apache. Basically, if
> I have a frames page in the protected directory, the server asks for
> the password twice.

The problem is that your web browser is able to send a request for the two
frames in parallel.  So the web server gets two web page hits at exactly
the same and tries to authenticate them both using the login and password
that the browser sent.  NT basically can't deal with more than
one login/password check at any given moment.  (I don't know how long that
moment is but it appears to be pretty long).  The Authen::Smb code which
Apache::AuthenSmb is based on has a very serious bug which treats the
error code NT gives back as a
	NTV_LOGON_ERROR

which makes Apache::AuthenSmb think that the login has failed.  This is
then sent back to the browser which pops up the authentication dialogue
box.  

Apache::AuthenSmb needs to be patched so that it returns a
	NTV_SERVER_ERROR

when its too busy to deal with another authentication check.  The
following code fixes the bug:

patch smbval/valid.c -
43a44,48
>     if( SMBlib_errno == SMBlibE_RecvFailed )
>       {
>       /* Server too busy to handle response */
>       return(NTV_SERVER_ERROR);
>       }

I submitted this patch to the Authen::Smb over a year ago and got an
immediate response that he got the fix and would shortly provide an update.
Since then he has either been unable or unwilling to return any of my
other attempts to contact him and he has not (last I checked) produced a
patched copy of Authen::Smb.  I even respectively offered to take over the
ownership of the Authen::Smb module which also received no answer.  

I think Randal and others high in the Perl community listen to this list.
What would they suggest I do?  I could patch the code and release it under
a different name but I am concerned that might cause more confusion that
its worth.

Hope that helps answer your question.

Cheers,
	Joshua

P.S. This is not a complete solution to your problem.  Once you patch the
Authen::Smb code you will need to update Apache::AuthenSmb to try other
Domain controllers or sleep for a few seconds before trying again.  I also
have code for this which I have submitted to the legal department to get
it released to the public.