|
Table of Contents
mod_auth_ntlm_winbindmod_auth_ntlm_winbind Overviewmod_auth_ntlm_winbind is a pretty cool Apache module that will do authentication against Active Directory with NTLM. I'm not a heavy participant in the Samba world, but huge Kudos have to go Tim Potter, Andrew Bartlett, and Ronan Waide (plus other awesome Samba rock stars). This module was originally known as mod_ntlm_winbind, but the name has been changed to be consistent with the Apache module naming scheme. Samba, Winbind, Kerberos, and Apache must be installed and configured before mod_auth_ntlm_winbind (see previous section), the mod_auth_ntlm_winbind module will not work without these packages. Web Browser ConfigurationBoth Internet Explorer and Firefox support NTLM authentication out of the box. It should just work for intranet hosts, but you can add other hosts to the security settings:
Internet Explorer: Tools → Internet Options → Security → Local Intranet → Sites Adding trusted hosts can also be done through group policy. Getting mod_auth_ntlm_winbindThe source can be downloaded directly from Samba's Subversion repository: svn co svn://svnanon.samba.org/lorikeet/trunk/mod_auth_ntlm_winbind mod_auth_ntlm_winbind
A web view of mod_auth_ntlm_winbind's Subversion tree can be found at: Installing mod_auth_ntlm_winbindInstall the module with: autoconf ./configure apxs -DAPACHE2 -c -i mod_auth_ntlm_winbind.c I personally couldn't get “make install” to work, but I'm not sure why and it possibly works fine for others or has been patched in the latest version. Add the following to httpd.conf to load the mod_ntlm_winbind module: LoadModule auth_ntlm_winbind_module /usr/lib/apache2/modules/mod_auth_ntlm_winbind.so Protect your directories with: <Directory "/var/www/auth"> AuthName "NTLM Authentication thingy" NTLMAuth on NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" NTLMBasicAuthoritative on AuthType NTLM require valid-user </Directory> Now you have winbind configured, you add the actual domain groups to the folder using chown/chmod to control permissions. Troubleshootingwinbind client not authorized to use winbindd_pam_auth_crapYou must set the permissions correctly on winbindd_privileged. Samba and winbind both will have problems (and may refuse to run) unless it's set to 750. chmod 750 /var/run/samba/winbindd_privileged You need to run apache as a user (you can't run it as nobody), and add that user to the group set on winbindd_privileged. DO NOT set the apache user as the user on winbindd_privileged, the permission must come via the group. In Ubuntu, Apache runs as www-data. Add the www-data user to the group “winbindd_priv”. If you recieve error “NA NT_STATUS_INVALID_PARAMETER”, remember to set KeepAlive to On in httpd.conf Compile process does not produce a .so fileIf the compile process doesn't produce the .so file, and you get an error something like below, edit apache's libtool and change the following option to “yes”: build_libtool_libs=no cp .libs/mod_auth_ntlm_winbind.so //usr/local/apache2/modules/mod_auth_ntlm_winbind.so cp: cannot stat `.libs/mod_auth_ntlm_winbind.so': No such file or directory apxs:Error: Command failed with rc=65536 . make: *** [install] Error 1 Sites added to the Intranet zone in group policy are not taking effect on the clientWhen security zone settings are set using Group Policy, it imports settings from the GP Admins computer. If you have Enhanced Security Configuration (ESC) installed, the settings will only take effect on other computers with ESC installed. If you don't have ESC installed, the settings will only take effect on other computers without ESC installed. In this situation, ESC was not installed on the GP Admins computer, and was also not installed on the intended destination, but the GP settings would still not take effect. IE stores its security zone site information in the registry under two separate keys depending if Enhanced Security Configuration is installed. If ESC is enabled, this information is stored under: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains If ESC is disabled, this information is stored under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains The server still retains a registry setting which takes effect on new roaming profiles: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\ Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]\ "IEHarden"=dword:00000001 Solution:Some sites recommended setting the IEHarden value to 0, although we removed the IEHarden value entirely. Remove this value (or set to 0) from all user profiles (via login script): HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap "IEHarden'=dword:00000001 Remove this value (or set to 0) from all terminal servers: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\ Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap] "IEHarden"=dword:00000001 |
