adLDAP - LDAP authentication with PHP for Active Directory Logo


mod_auth_ntlm_winbind Overview

mod_auth_ntlm_winbind is a pretty cool Apache module that will do authentication against Active Directory with NTLM. I'm not a heavy participant in the Samba world, but huge Kudos have to go Tim Potter, Andrew Bartlett, and Ronan Waide (plus other awesome Samba rock stars). This module was originally known as mod_ntlm_winbind, but the name has been changed to be consistent with the Apache module naming scheme.

Samba, Winbind, Kerberos, and Apache must be installed and configured before mod_auth_ntlm_winbind (see previous section), the mod_auth_ntlm_winbind module will not work without these packages…

Web Browser Configuration

Both Internet Explorer and Firefox support NTLM authentication out of the box. It should just work for intranet hosts, but you can add other hosts to the security settings:

Internet Explorer: Tools → Internet Options → Security → Local Intranet → Sites
Firefox: about:config → network.negotiate-auth.trusted-uris

Adding trusted hosts can also be done through group policy.

Getting mod_auth_ntlm_winbind

The source can be downloaded directly from Samba's Subversion repository:

svn co svn:// mod_auth_ntlm_winbind

The source can also be taken from the Samba git tree:

git clone git:// 

A web view of mod_auth_ntlm_winbind's git tree can be found at:

Installing mod_auth_ntlm_winbind

Install the module with:

apxs2 -DAPACHE2 -c -i mod_auth_ntlm_winbind.c

If the apxs command doesn't work try installing http-devel with the following “yum install httpd-devel” and then re-run the apxs command. I had to do it without the 2 for example “apxs -DAPACHE2 -c -i mod_auth_ntlm_winbind.c” For more information see this post

I personally couldn't get “make install” to work, but I'm not sure why and it possibly works fine for others or has been patched in the latest version.

I used following and it worked fine

./configure –with-apxs=/u01/httpd/bin/apxs –with-httpd=/u01/httpd/bin/httpd (For above command to work you have to compile httpd with the debug option like ./configure –with-included-apr –with-mpm=worker –prefix=/u01/httpd)

Add the following to httpd.conf to load the mod_ntlm_winbind module:

LoadModule auth_ntlm_winbind_module /usr/lib/apache2/modules/

Protect your directories with:

<Directory "/var/www/auth">
  AuthName "NTLM Authentication thingy"
  NTLMAuth on
  NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
  NTLMBasicAuthoritative on
  AuthType NTLM
  require valid-user

Now you have winbind configured, you add the actual domain groups to the folder using chown/chmod to control permissions.


winbind client not authorized to use winbindd_pam_auth_crap

You must set the permissions correctly on winbindd_privileged. Samba and winbind both will have problems (and may refuse to run) unless it's set to 750.

chmod 750 /var/run/samba/winbindd_privileged

You need to run apache as a user (you can't run it as nobody), and add that user to the group set on winbindd_privileged. DO NOT set the apache user as the user on winbindd_privileged, the permission must come via the group.

In Ubuntu, Apache runs as www-data. Add the www-data user to the group “winbindd_priv”.

Receiving NT_STATUS_INVALID_PARAMETER in the samba log file

Set KeepAlive to On in httpd.conf

Compile process does not produce a .so file

If the compile process doesn't produce the .so file, and you get an error something like below, edit apache's libtool and change the following option to “yes”: build_libtool_libs=no

cp .libs/ //usr/local/apache2/modules/
cp: cannot stat `.libs/': No such file or directory
apxs:Error: Command failed with rc=65536
make: *** [install] Error 1

Sites added to the Intranet zone in group policy are not taking effect on the client

When security zone settings are set using Group Policy, it imports settings from the GP Admins computer. If you have Enhanced Security Configuration (ESC) installed, the settings will only take effect on other computers with ESC installed. If you don't have ESC installed, the settings will only take effect on other computers without ESC installed. In this situation, ESC was not installed on the GP Admins computer, and was also not installed on the intended destination, but the GP settings would still not take effect.

IE stores its security zone site information in the registry under two separate keys depending if Enhanced Security Configuration is installed.

If ESC is enabled, this information is stored under:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains

If ESC is disabled, this information is stored under

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

The server still retains a registry setting which takes effect on new roaming profiles:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\
  Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]\


Some sites recommended setting the IEHarden value to 0, although we removed the IEHarden value entirely. Remove this value (or set to 0) from all user profiles (via login script):

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

Remove this value (or set to 0) from all terminal servers:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\
  Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]


TortoiseSVN (or the neon library it uses for WebDAV) seem to not like mod_auth_ntlm_winbind - it will authenticate, but only download 4-5 files while loading out the error logs with messages like this:

  got NTLMSSP command 3, expected 1 

As described here:

The error message explained here (half-way through):

Currently (2014-02-11) outdated. Tortoise 1.8.4 works properly with combination: tortoise/1.8.4(serf/1.3.2) → apache/2.2.22-13 → auth_ntlm_winbind/(from_apache) → winbind/3.6.6 → kerberos/5 → WindowsAD(2012/2008/2003+krbsupp) . In that situation is possible transmit thousands of files with SVN commit & update.

HTTPS support

Often authorization by HTTPS is impossible. Reason is unknown. But there is workaround:

  1. Copy some template from HTTPS to HTTP and restart apache
  2. Login into secured template once.
  3. After that file /var/run/samba/winbindd_privileged/pipe will be created
  4. You can remove secured template from HTTP. Domain authorization using HTTPS should work.

Cannot disable Basic & Digest autentication

For NTLM protected directory, Basic & Diggest authentication still are supported. Option 'NTLMAuth on' without options BasicAuth/DiggestAuth seems to be ignored. This is very important for windows DAV users. If they are not configured and store password permanently, after changing password they must be cleaned up for restore connection.

Sample config:

  <Location /svn/SomeRepo>
      Dav svn
      #authentication NTLM Windows domain winbind proxy
      AuthName "NTLM Authentication thingy"
      NTLMAuth on
      #does not work--->NTLMBasicAuth off
      #another that doesn't work--->BasicAuth off
      NTLMAuthHelper "/usr/bin/ntlm_auth --domain=MY.WINDOWS.DOMAIN.FULL.QUALIFIED --helper-protocol=squid-2.5-ntlmssp"
      NTLMBasicAuthoritative on
      AuthType NTLM
      #this doesn't works also --->AuthBasicAuthoritative off
      require valid-user
      SVNPath /path/to/svn/database/directory
mod_auth_ntlm_winbind.txt · Last modified: 2014/02/11 13:56 by
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki