645806 - Native NTLM authentication on Linux unsupported

Status: UNCONFIRMED

(Core :: Networking, defect, P5)

Description

[Gustavo Homem]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.04 (lucid) Firefox/3.6.13
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.04 (lucid) Firefox/3.6.13

I can't get Firefox to authenticate on an NTLM based website without prompting for the password, even though the running user is authenticated to the AD domain.

Some details:

- kerberos authentication for websites on the same domain works well
- multiple sources on the web claim that NTLM should work as well although they are not explicit about Linux and Mac
- Firefox logs "writing to ntlm_auth:" but the ntlm_auth binary is NOT executed (I wrote a wrapper with debug output to be sure about this)
- Firefox also logs these self explanatory lines:

-1215531152[b7619060]: Default credentials allowed for host: 1
-1215531152[b7619060]: Native sys-ntlm auth module not found.
-1215531152[b7619060]: Trying to fall back on internal ntlm auth.
-1215531152[b7619060]:   identity invalid = 1
-1215531152[b7619060]: nsHttpChannel::PromptForIdentity [this=a6febff0]

Related prefs are as follow:

network.automatic-ntlm-auth.allow-proxies;true
network.auth.force-generic-ntlm;false
network.automatic-ntlm-auth.trusted-uris;http://,https://
network.ntlm.send-lm-response;false

Reproducible: Always

Steps to Reproduce:
1.login on the workstation
2.go to a local NTLM base website
3.watch the user/pass prompt appear 
Actual Results:  
Firefox asks for the credentials

Expected Results:  
I'd expect to have automatic authentication

Comment 1

[Gustavo Homem]

Logs were obtained with:

export NSPR_LOG_FILE=/tmp/moz.log
export NSPR_LOG_MODULES=negotiateauth:10,nsHttp:10

tail -f /tmp/moz.log & firefox

Comment 2

[Nick Lowe]

The same issue exists in OS X.

Comment 3

[Jesus]

Issue still present. Running Firefox 23.0 on Ubuntu precise.

Comment 4

[Hans]

I have been looking at this issue myself today and came across another bug on this bugtracker that seems related ( https://bugzilla.mozilla.org/show_bug.cgi?id=554122 ). ntlm_auth is called with YR and no response will follow in the log files. If you launch firefox from the same directory that has ntlm_auth in it (usually /usr/bin) the auth will work.

Comment 5

[Martin Crielaard]

Issue still present. Running Firefox 38.2.0 on Ubuntu and Centos

Comment 6

[Peter Parzer]

Issue still present on Ubuntu and Firefox 42.0

Comment 7

[oz.tiram]

I'm using Mozilla Thunderbird 45.3.0 and I also can not send emails via an SMTP server that requires NTLM authentication. If it matters, Evolution on linux can do it with exact same login information I supplied.

Comment 8

[Gustavo Homem]

(In reply to Hans from comment #4)
> I have been looking at this issue myself today and came across another bug
> on this bugtracker that seems related (
> https://bugzilla.mozilla.org/show_bug.cgi?id=554122 ). ntlm_auth is called
> with YR and no response will follow in the log files. If you launch firefox
> from the same directory that has ntlm_auth in it (usually /usr/bin) the auth
> will work.

If you create a symlink to /usr/bin/ntlm_auth on your homedir it will work when launched from a desktop environment. The bug is Firefox not looking up for the command in the $PATH variable.

Comment 9

[Peter Parzer]

With firefox 48 and winbind 4.3.9 even this fix does not work for me. It worked some time, but after an update of winbind (I dont remember the version) it stopped working.

Comment 10

[Firefox Bug Husbandry Bot]

Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258

Comment 11

[mitja]

With Firefox 83.0 on Ubuntu 20.04 (focal fossa) the bug is still present.
Fortunately the "symlink to/usr/bin/ntlm_auth on your homedir" workaround proposed at comment 4 still works! So i have solved my usability problem just i take me quite some time to come here and find this workaround. Is this bug so hard to fix after 10 years.