Enable Windows NTLM Pass-through Authentication in Linux-based Apache

Thank Science for SuSE Linux Enterprise 11; it's made this process relatively easy. SLES 10 SP2 was giving me a headache because of some Windows 2008 based Active Directory authentication issues but upgrading SLES 11 took care of all that.

First thing is first, setup samba to authenticate to AD. Next, install the OpenSuSE mod_auth_ntlm_winbind RPM.

Download the appropriate RPM from the openSUSE package page: https://software.opensuse.org/package/apache2-mod_auth_ntlm_winbind

The wiki for this Apache 2 module can be found here. Next, we're going to install pam_smb, set the proper permissions on winbindd_privileged, add the module to apache and restart the web service.

1yast -i pam_smb
2setfacl -m u:wwwrun:rx /var/lib/samba/winbindd_privileged
3a2enmod auth_ntlm_winbind
4rcapache2 restart

Finally, add something to the effect of this to your Apache config file:

1AuthName "NTLM Authentication"
2NTLMAuth on
3NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
4NTLMBasicAuthoritative on
5AuthType NTLM
6require valid-user

Restart the service and you should be authenticating automatically. Don't forget to add the website to your browser's Intranet zone if needed.

Also, I read that, unfortunately, auth_ntlm_winbind, doesn't work over SSL but I'm going to try it anyway. In the event that it doesn't, I'll be exploring Kerberos authentication within Apache.

Editor’s note (2025): NTLM and the mod_auth_ntlm_winbind approach are considered legacy and are generally discouraged today due to security limitations and deprecation across platforms. Where possible, prefer Kerberos/Negotiate (SPNEGO) or modern SSO solutions. The original instructions above are preserved for historical accuracy; links were updated to currently available documentation where the original pages no longer exist.