How do I check WinNT user authentication from *nix?

Ian the Terrible has asked for the wisdom of the Perl Monks concerning the following question:

What I want to do seems simple: A perl script running under Linux gets a username and password as input. Then it queries a Windows NT domain controller to see if the username and password are valid.

I found the Authen::Smb module, but it doesn't seem to be working, and the fact that it hasn't been updated since 1999 is disturbing.

Here's the code:

#!/usr/bin/perl -w
use strict;

use Authen::Smb;
my $authResult = Authen::Smb::authen('username','passwd',
                                     '//PDC', '//BDC',
                                     'NT_DOMAIN');

if ( $authResult == 0 ) {
    print "User successfully authenticated.\n";
} else {
    print "User not authenticated with error level $authResult\n";
}
[download]

This invariably returns "User not authenticated with error level 1." I've varied the way I specify the BDC and PDC (without slashes, as internet hostnames instead of NT names, and as IP addresses), and that doesn't change anything.

No failed queries show up in the logs of the domain controllers, so it seems like the queries aren't getting there at all.

Anyone know a better way? (My first suggestion to the boss, which was to make the NT guy figure out how to do this against the Linux machine, was met with chilly silence.)

Comment on How do I check WinNT user authentication from *nix? Download Code

Replies are listed 'Best First'.
Re: How do I check WinNT user authentication from *nix? by blakem (Monsignor) on Sep 16, 2001 at 12:57 UTC
I've only done this in an apache environment (i.e. authenticate NT users from the Unix webserver) with the mod_auth_samba module. If this is what you need to do, I highly recommend taking a look at it. Even though this does nothing to help a standalone perl script, the installation docs might be useful. It requires several other packages to function properly, which might help solve the problems you are running into. -Blake	[reply]
Re: How do I check WinNT user authentication from *nix? by idnopheq (Chaplain) on Sep 16, 2001 at 16:22 UTC
Non-perl answer: What verion of samba are you running? The lack of anything in the NT logs makes me want to agree with your statement "so it seems like the queries aren't getting there at all". If you can, fire up tcpdump and see if any NetBIOS traffic is heading out tcp/udp 135, 137, & 139. Get WinDump for your NT server and check the same thing. If you haven't all ready, you may need to "join" the NT domain/workgroup. Also IIRC, there is a M$ Windows Services for UNIX which has some PAM modules to authenticate from nix to NT. It costs @ $100USD and includes a bunch of stuff for the Windows side, like a slightly better telnet server ( than the one by default in W2K ) and the MKS tools. HTH -- idnopheq Apply yourself to new problems without preparation, develop confidence in your ability to to meet situations as they arrise.* ~ Shunryu Suzuki	[reply]
Problem solved by Ian the Terrible (Beadle) on Sep 16, 2001 at 21:41 UTC
Now it's working. Installing tcpdump (as suggested above) verified that the queries weren't getting to the domain controllers. I also saw lots of traffic back and forth to our DNS servers, so I figured I wasn't specifying the domain controllers correctly in the script. For the record: Slashes are bad. I'm sure I tried that before, but perhaps something else I've done in the meantime (updating Samba, maybe?) was also necessary. Eh - the important thing is that it's working, and as is so often the case, the denizens of the Monestary helped.	[reply]