Here is a quick guide to enabling NTLM authentication for Apache 2.
I generally use Ubuntu, so I am a heavy apt-get’er, but I prefer to build my apache from source.Here goes…

Make sure you change the ‘domain-name’ and ‘domain-controller’ to suit your environment. It is case sensitive.

Install Samba & Kerberos

apt-get install samba winbind krb5-config krb5-user smbfs

Replace /etc/krb5.conf with the following file,

default_realm = DOMAIN-NAME.LOCAL
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
plain = {
something = something-else
fcc-mit-ticketflags = true
kdc = domain-controller.domain.local
.kerberos.server = DOMAIN-NAME.LOCAL
krb4_convert = true
krb4_get_tickets = false

Run the following;

kinit Administrator@DOMAIN-NAME.LOCAL

* This command will return nothing if successful.

Replace /etc/samba/smb.conf with the following

workgroup = DOMAIN-NAME
realm =
preferred master = no
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba.log
max log size = 50
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
comment = Home Directories
valid users = %S
read only = No
browseable = No

Add any shares that you want visible to your Windows uers if you wish.

/etc/init.d/samba restart

Now you can join your Windows domain. You’ll be prompted to put in the Domain Administrator password.

net ads join -U Administrator

/etc/init.d/winbind start

Edit /etc/nsswitch.conf


passwd: compat
group: compat


passwd: compat winbind
group: compat winbind

You can test if everything went OK with the following

wbinfo –g
wbinfo -u

Theset two commands should list all the users & groups in your Active Directory.

Install Apache

Download the latest apache source package. I assume you know how to do this.

Download from here. Or you can download the latest unpacked source from the Samba site.

cd mod_ntlm_winbind/
ln -s mod_ntlm_winbind.c mod_auth_ntlm_winbind.c
/usr/local/apache2/bin/apxs -DAPACHE2 -c -i mod_auth_ntlm_winbind.c
make install

‘make install’ sometimes returns an error but it does complete the required tasks successfully.

Add the following into your httpd.conf

LoadModule ntlm_winbind_module modules/
<Directory />
Options FollowSymLinks Multiviews Indexes
AllowOverride All
AuthName "Authentication"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user

I used <Directory /> as an example for NTLM authentication server wide. For example an Intranet server. But you can apply it to any directory, <Directory /var/www/some-dir>

Restart apache to finish off.

/etc/init.d/apachectl restart
Sometimes winbindd doesn’t set it’s privileges to world read able. So apache may throw an error, you may get an ‘Internal Server Error’. The following will do the trick.

chmod 777 /var/run/samba/winbindd_privileged

I like to add ‘chmod 777 /var/run/samba/winbindd_privileged’ to the /etc/rc.local or equivelant.