mod_auth_ntlm_winbind

mod_auth_ntlm_winbind is a pretty cool Apache module that will do authentication against Active Directory with NTLM. I'm not a heavy participant in the Samba world, but huge Kudos have to go Tim Potter, Andrew Bartlett, and Ronan Waide (plus other awesome Samba rock stars). This module was originally known as mod_ntlm_winbind, but the name has been changed to be consistent with the Apache module naming scheme.

Samba, Winbind, Kerberos, and Apache must be installed and configured before mod_auth_ntlm_winbind (see previous section), the mod_auth_ntlm_winbind module will not work without these packages…

Both Internet Explorer and Firefox support NTLM authentication out of the box. It should just work for intranet hosts, but you can add other hosts to the security settings:

Internet Explorer: Tools → Internet Options → Security → Local Intranet → Sites
Firefox: about:config → network.negotiate-auth.trusted-uris

Adding trusted hosts can also be done through group policy.

The source can be downloaded directly from Samba's Subversion repository:

svn co svn://svnanon.samba.org/lorikeet/trunk/mod_auth_ntlm_winbind mod_auth_ntlm_winbind

The source can also be taken from the Samba git tree:

git clone git://git.samba.org/jerry/mod_auth_ntlm_winbind.git

these sources aren't identical. I was able to get autoconf to work with the svn repo, but not with the git. Prefer svn even though it's svn.

A web view of mod_auth_ntlm_winbind's git tree can be found at:

http://git.samba.org/?p=jerry/mod_auth_ntlm_winbind.git

Install the module with:

autoconf
./configure
apxs2 -DAPACHE2 -c -i mod_auth_ntlm_winbind.c

If the apxs command doesn't work try installing http-devel with the following “yum install httpd-devel” and then re-run the apxs command. I had to do it without the 2 for example “apxs -DAPACHE2 -c -i mod_auth_ntlm_winbind.c” For more information see this post http://sourceforge.net/projects/adldap/forums/forum/500911/topic/4544998.

I personally couldn't get “make install” to work, but I'm not sure why and it possibly works fine for others or has been patched in the latest version.

I used following and it worked fine

./configure –with-apxs=/u01/httpd/bin/apxs –with-httpd=/u01/httpd/bin/httpd (For above command to work you have to compile httpd with the debug option like ./configure –with-included-apr –with-mpm=worker –prefix=/u01/httpd)

Add the following to httpd.conf to load the mod_ntlm_winbind module:

LoadModule auth_ntlm_winbind_module /usr/lib/apache2/modules/mod_auth_ntlm_winbind.so

Protect your directories with:

<Directory "/var/www/auth">
  AuthName "NTLM Authentication thingy"
  NTLMAuth on
  NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
  NTLMBasicAuthoritative on
  AuthType NTLM
  require valid-user
</Directory>

Now you have winbind configured, you add the actual domain groups to the folder using chown/chmod to control permissions.

You must set the permissions correctly on winbindd_privileged. Samba and winbind both will have problems (and may refuse to run) unless it's set to 750.

chmod 750 /var/run/samba/winbindd_privileged

You need to run apache as a user (you can't run it as nobody), and add that user to the group set on winbindd_privileged. DO NOT set the apache user as the user on winbindd_privileged, the permission must come via the group.

In Ubuntu, Apache runs as www-data. Add the www-data user to the group “winbindd_priv”.

Set KeepAlive to On in httpd.conf

If the compile process doesn't produce the .so file, and you get an error something like below, edit apache's libtool and change the following option to “yes”: build_libtool_libs=no

cp .libs/mod_auth_ntlm_winbind.so //usr/local/apache2/modules/mod_auth_ntlm_winbind.so
cp: cannot stat `.libs/mod_auth_ntlm_winbind.so': No such file or directory
apxs:Error: Command failed with rc=65536
.
make: *** [install] Error 1

When security zone settings are set using Group Policy, it imports settings from the GP Admins computer. If you have Enhanced Security Configuration (ESC) installed, the settings will only take effect on other computers with ESC installed. If you don't have ESC installed, the settings will only take effect on other computers without ESC installed. In this situation, ESC was not installed on the GP Admins computer, and was also not installed on the intended destination, but the GP settings would still not take effect.

IE stores its security zone site information in the registry under two separate keys depending if Enhanced Security Configuration is installed.

If ESC is enabled, this information is stored under:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains

If ESC is disabled, this information is stored under

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

The server still retains a registry setting which takes effect on new roaming profiles:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\
  Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]\
"IEHarden"=dword:00000001

Some sites recommended setting the IEHarden value to 0, although we removed the IEHarden value entirely. Remove this value (or set to 0) from all user profiles (via login script):

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  "IEHarden'=dword:00000001

Remove this value (or set to 0) from all terminal servers:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\
  Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
  "IEHarden"=dword:00000001

TortoiseSVN (or the neon library it uses for WebDAV) seem to not like mod_auth_ntlm_winbind - it will authenticate, but only download 4-5 files while loading out the error logs with messages like this:

libsmb/ntlmssp.c:ntlmssp_update(334)
  got NTLMSSP command 3, expected 1 

As described here: http://svn.haxx.se/tsvnusers/archive-2008-10/0001.shtml

The error message explained here (half-way through): http://webui.sourcelabs.com/samba/mail/dev/threads/mod_auth_ntlm_winbind_build.meta

Currently (2014-02-11) outdated. Tortoise 1.8.4 works properly with combination: tortoise/1.8.4(serf/1.3.2) → apache/2.2.22-13 → auth_ntlm_winbind/(from_apache) → winbind/3.6.6 → kerberos/5 → WindowsAD(2012/2008/2003+krbsupp) . In that situation is possible transmit thousands of files with SVN commit & update.

Often authorization by HTTPS is impossible. Reason is unknown. But there is workaround:

1. Copy some template from HTTPS to HTTP and restart apache
2. Login into secured template once.
3. After that file /var/run/samba/winbindd_privileged/pipe will be created
4. You can remove secured template from HTTP. Domain authorization using HTTPS should work.

For NTLM protected directory, Basic & Diggest authentication still are supported. Option 'NTLMAuth on' without options BasicAuth/DiggestAuth seems to be ignored. This is very important for windows DAV users. If they are not configured and store password permanently, after changing password they must be cleaned up for restore connection.

Sample config:

  <Location /svn/SomeRepo>
      Dav svn
      #authentication NTLM Windows domain winbind proxy
      AuthName "NTLM Authentication thingy"
      NTLMAuth on
      #does not work--->NTLMBasicAuth off
      #another that doesn't work--->BasicAuth off
      NTLMAuthHelper "/usr/bin/ntlm_auth --domain=MY.WINDOWS.DOMAIN.FULL.QUALIFIED --helper-protocol=squid-2.5-ntlmssp"
      NTLMBasicAuthoritative on
      AuthType NTLM
      #this doesn't works also --->AuthBasicAuthoritative off
      require valid-user
      SVNPath /path/to/svn/database/directory
  </Location>