====== mod_auth_ntlm_winbind ====== ===== mod_auth_ntlm_winbind Overview ===== mod_auth_ntlm_winbind is a pretty cool Apache module that will do authentication against Active Directory with NTLM. I'm not a heavy participant in the Samba world, but huge Kudos have to go Tim Potter, Andrew Bartlett, and Ronan Waide (plus other awesome Samba rock stars). This module was originally known as mod_ntlm_winbind, but the name has been changed to be consistent with the Apache module naming scheme. Samba, Winbind, Kerberos, and Apache must be installed and configured before mod_auth_ntlm_winbind ([[seamless_authentication|see previous section]]), the mod_auth_ntlm_winbind module will not work without these packages. ===== Web Browser Configuration ===== Both Internet Explorer and Firefox support NTLM authentication out of the box. It should just work for intranet hosts, but you can add other hosts to the security settings: Internet Explorer: Tools -> Internet Options -> Security -> Local Intranet -> Sites\\ Firefox: about:config -> network.negotiate-auth.trusted-uris Adding trusted hosts can also be done through group policy. ===== Getting mod_auth_ntlm_winbind ===== The source can be downloaded directly from Samba's Subversion repository: it doesn't work or too long svn co svn://svnanon.samba.org/lorikeet/trunk/mod_auth_ntlm_winbind mod_auth_ntlm_winbind A web view of mod_auth_ntlm_winbind's git tree can be found at: http://git.samba.org/?p=jerry/mod_auth_ntlm_winbind.git The source can also be taken from the Samba git tree: git-clone git://git.samba.org/jerry/mod_auth_ntlm_winbind.git ===== Installing mod_auth_ntlm_winbind ===== Install the module with: autoconf ./configure apxs2 -DAPACHE2 -c -i mod_auth_ntlm_winbind.c I personally couldn't get "make install" to work, but I'm not sure why and it possibly works fine for others or has been patched in the latest version. Add the following to httpd.conf to load the mod_ntlm_winbind module: LoadModule auth_ntlm_winbind_module /usr/lib/apache2/modules/mod_auth_ntlm_winbind.so Protect your directories with: AuthName "NTLM Authentication thingy" NTLMAuth on NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" NTLMBasicAuthoritative on AuthType NTLM require valid-user Now you have winbind configured, you add the actual domain groups to the folder using chown/chmod to control permissions. ===== Troubleshooting ===== ==== winbind client not authorized to use winbindd_pam_auth_crap ==== You **must** set the permissions correctly on winbindd_privileged. Samba and winbind both will have problems (and may refuse to run) unless it's set to 750. chmod 750 /var/run/samba/winbindd_privileged You need to run apache as a user (you can't run it as nobody), and add that user to the group set on winbindd_privileged. **DO NOT** set the apache user as the user on winbindd_privileged, the permission must come via the group. In Ubuntu, Apache runs as www-data. Add the www-data user to the group "winbindd_priv". ==== Receiving NT_STATUS_INVALID_PARAMETER in the samba log file ==== Set KeepAlive to On in httpd.conf ==== Compile process does not produce a .so file ==== If the compile process doesn't produce the .so file, and you get an error something like below, edit apache's libtool and change the following option to "yes": build_libtool_libs=no cp .libs/mod_auth_ntlm_winbind.so //usr/local/apache2/modules/mod_auth_ntlm_winbind.so cp: cannot stat `.libs/mod_auth_ntlm_winbind.so': No such file or directory apxs:Error: Command failed with rc=65536 . make: *** [install] Error 1 ==== Sites added to the Intranet zone in group policy are not taking effect on the client ==== When security zone settings are set using Group Policy, it imports settings from the GP Admins computer. If you have Enhanced Security Configuration (ESC) installed, the settings will only take effect on other computers with ESC installed. If you don't have ESC installed, the settings will only take effect on other computers without ESC installed. In this situation, ESC was not installed on the GP Admins computer, and was also not installed on the intended destination, but the GP settings would still not take effect. IE stores its security zone site information in the registry under two separate keys depending if Enhanced Security Configuration is installed. If ESC is enabled, this information is stored under: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains If ESC is disabled, this information is stored under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains The server still retains a registry setting which takes effect on new roaming profiles: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\ Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]\ "IEHarden"=dword:00000001 === Solution: === Some sites recommended setting the IEHarden value to 0, although we removed the IEHarden value entirely. Remove this value (or set to 0) from all user profiles (via login script): HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap "IEHarden'=dword:00000001 Remove this value (or set to 0) from all terminal servers: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\ Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap] "IEHarden"=dword:00000001 ==== TortoiseSVN ==== TortoiseSVN (or the neon library it uses for WebDAV) seem to not like mod_auth_ntlm_winbind - it will authenticate, but only download 4-5 files while loading out the error logs with messages like this: libsmb/ntlmssp.c:ntlmssp_update(334) got NTLMSSP command 3, expected 1 As described here: http://svn.haxx.se/tsvnusers/archive-2008-10/0001.shtml The error message explained here (half-way through): http://webui.sourcelabs.com/samba/mail/dev/threads/mod_auth_ntlm_winbind_build.meta