Table of Contents
mod_auth_ntlm_winbind is a pretty cool Apache module that will do authentication against Active Directory with NTLM. I'm not a heavy participant in the Samba world, but huge Kudos have to go Tim Potter, Andrew Bartlett, and Ronan Waide (plus other awesome Samba rock stars). This module was originally known as mod_ntlm_winbind, but the name has been changed to be consistent with the Apache module naming scheme.
Samba, Winbind, Kerberos, and Apache must be installed and configured before mod_auth_ntlm_winbind (see previous section), the mod_auth_ntlm_winbind module will not work without these packages…
Both Internet Explorer and Firefox support NTLM authentication out of the box. It should just work for intranet hosts, but you can add other hosts to the security settings:
Internet Explorer: Tools → Internet Options → Security → Local Intranet → Sites
Adding trusted hosts can also be done through group policy.
The source can be downloaded directly from Samba's Subversion repository:
svn co svn://svnanon.samba.org/lorikeet/trunk/mod_auth_ntlm_winbind mod_auth_ntlm_winbind
The source can also be taken from the Samba git tree:
git clone git://git.samba.org/jerry/mod_auth_ntlm_winbind.git
A web view of mod_auth_ntlm_winbind's git tree can be found at:
Install the module with:
autoconf ./configure apxs2 -DAPACHE2 -c -i mod_auth_ntlm_winbind.c
If the apxs command doesn't work try installing http-devel with the following “yum install httpd-devel” and then re-run the apxs command. I had to do it without the 2 for example “apxs -DAPACHE2 -c -i mod_auth_ntlm_winbind.c” For more information see this post http://sourceforge.net/projects/adldap/forums/forum/500911/topic/4544998.
I personally couldn't get “make install” to work, but I'm not sure why and it possibly works fine for others or has been patched in the latest version.
I used following and it worked fine
./configure –with-apxs=/u01/httpd/bin/apxs –with-httpd=/u01/httpd/bin/httpd (For above command to work you have to compile httpd with the debug option like ./configure –with-included-apr –with-mpm=worker –prefix=/u01/httpd)
Add the following to httpd.conf to load the mod_ntlm_winbind module:
LoadModule auth_ntlm_winbind_module /usr/lib/apache2/modules/mod_auth_ntlm_winbind.so
Protect your directories with:
<Directory "/var/www/auth"> AuthName "NTLM Authentication thingy" NTLMAuth on NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" NTLMBasicAuthoritative on AuthType NTLM require valid-user </Directory>
Now you have winbind configured, you add the actual domain groups to the folder using chown/chmod to control permissions.
You must set the permissions correctly on winbindd_privileged. Samba and winbind both will have problems (and may refuse to run) unless it's set to 750.
chmod 750 /var/run/samba/winbindd_privileged
You need to run apache as a user (you can't run it as nobody), and add that user to the group set on winbindd_privileged. DO NOT set the apache user as the user on winbindd_privileged, the permission must come via the group.
In Ubuntu, Apache runs as www-data. Add the www-data user to the group “winbindd_priv”.
Set KeepAlive to On in httpd.conf
If the compile process doesn't produce the .so file, and you get an error something like below, edit apache's libtool and change the following option to “yes”: build_libtool_libs=no
cp .libs/mod_auth_ntlm_winbind.so //usr/local/apache2/modules/mod_auth_ntlm_winbind.so cp: cannot stat `.libs/mod_auth_ntlm_winbind.so': No such file or directory apxs:Error: Command failed with rc=65536 . make: *** [install] Error 1
When security zone settings are set using Group Policy, it imports settings from the GP Admins computer. If you have Enhanced Security Configuration (ESC) installed, the settings will only take effect on other computers with ESC installed. If you don't have ESC installed, the settings will only take effect on other computers without ESC installed. In this situation, ESC was not installed on the GP Admins computer, and was also not installed on the intended destination, but the GP settings would still not take effect.
IE stores its security zone site information in the registry under two separate keys depending if Enhanced Security Configuration is installed.
If ESC is enabled, this information is stored under:
If ESC is disabled, this information is stored under
The server still retains a registry setting which takes effect on new roaming profiles:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\ Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]\ "IEHarden"=dword:00000001
Some sites recommended setting the IEHarden value to 0, although we removed the IEHarden value entirely. Remove this value (or set to 0) from all user profiles (via login script):
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap "IEHarden'=dword:00000001
Remove this value (or set to 0) from all terminal servers:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\ Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap] "IEHarden"=dword:00000001
TortoiseSVN (or the neon library it uses for WebDAV) seem to not like mod_auth_ntlm_winbind - it will authenticate, but only download 4-5 files while loading out the error logs with messages like this:
libsmb/ntlmssp.c:ntlmssp_update(334) got NTLMSSP command 3, expected 1
As described here: http://svn.haxx.se/tsvnusers/archive-2008-10/0001.shtml
The error message explained here (half-way through): http://webui.sourcelabs.com/samba/mail/dev/threads/mod_auth_ntlm_winbind_build.meta
Currently (2014-02-11) outdated. Tortoise 1.8.4 works properly with combination: tortoise/1.8.4(serf/1.3.2) → apache/2.2.22-13 → auth_ntlm_winbind/(from_apache) → winbind/3.6.6 → kerberos/5 → WindowsAD(2012/2008/2003+krbsupp) . In that situation is possible transmit thousands of files with SVN commit & update.
Often authorization by HTTPS is impossible. Reason is unknown. But there is workaround:
For NTLM protected directory, Basic & Diggest authentication still are supported. Option 'NTLMAuth on' without options BasicAuth/DiggestAuth seems to be ignored. This is very important for windows DAV users. If they are not configured and store password permanently, after changing password they must be cleaned up for restore connection.
<Location /svn/SomeRepo> Dav svn #authentication NTLM Windows domain winbind proxy AuthName "NTLM Authentication thingy" NTLMAuth on #does not work--->NTLMBasicAuth off #another that doesn't work--->BasicAuth off NTLMAuthHelper "/usr/bin/ntlm_auth --domain=MY.WINDOWS.DOMAIN.FULL.QUALIFIED --helper-protocol=squid-2.5-ntlmssp" NTLMBasicAuthoritative on AuthType NTLM #this doesn't works also --->AuthBasicAuthoritative off require valid-user SVNPath /path/to/svn/database/directory </Location>