Enable Windows NTLM Pass-through Authentication in Linux-based Apache

Thank Science for SuSE Linux Enterprise 11; it’s made this process relatively easy. SLES 10 SP2 was giving me a headache because of some Windows 2008 based Active Directory authentication issues but upgrading SLES 11 took care of all that.

First thing is first, setup samba to authenticate to AD. Next, install the OpenSuSE mod_auth_ntlm_winbind RPM.

rpm –install http://download.opensuse.org/distribution/11.0/repo/oss/suse/i586/apache2-mod_auth_ntlm_winbind-0.0.0.lorikeet_svn_682-135.1.i586.rpm

The wiki for this Apache 2 module can be found here. Next, we’re going to instasll pam_smb, set the proper permissions on winbindd_privileged, add the module to apache and restart the web service.

Finally, add something to the effect of this to your Apache config file:

Restart the service and you should be authenticating automatically. Don’t forget to add the website to your browser’s Intranet zone if needed.

Also, I read that, unfortunately, auth_ntlm_winbind, doesn’t work over SSL but I’m going to try it anyway. In the event that it doesn’t, I’ll be exploring Kerberos authentication within Apache.

Chrissy is a PowerShell MVP who has worked in IT for nearly 20 years, and currently serves as a Sr. Database Engineer in Belgium. Always an avid scripter, she attended the Monad session at Microsoft’s Professional Developers Conference in Los Angeles back in 2005 and has worked and played with PowerShell ever since. Chrissy is currently pursuing an MS in Systems Engineering at Regis University and helps maintain RealCajunRecipes.com in her spare time. She holds a number of certifications, including those relating to SQL Server, SuSE Linux, SharePoint and network security. She recently became co-lead of the SQL PASS PowerShell Virtual Chapter. You can follow her on Twitter at @cl.

Posted in Active Directory, Apache, Linux, Security
4 comments on “Enable Windows NTLM Pass-through Authentication in Linux-based Apache
  1. Maxwell says:

    Any luck with auth_ntlm_winbind and SSL?

  2. Chrissy says:

    Negative. I ended up using Likewise. Check out http://blog.netnerds.net/category/security/ for more details.

  3. Thanks for this post, it was most useful. I've tested this auth method over ssl and can confirm that it doesn't work on IE 8 (get a 500 server error). It does however seem to work fine in Firefox 3.6.3.

    To white list ntlm servers in recent versions of firefox (for password-less authentication on windows), you need to use about:config and edit the network.automatic-ntlm-auth.trusted-uris option (enter your webserver name).

  4. Marcin Makalowski says:

    If Your’e using 64bit rpm of auth_ntlm_winbind authentication is not working
    There is a bug and You have to rebuild rpm with path.

    best Regards

    Marcin

Leave a Reply

Your email address will not be published. Required fields are marked *

*