NTLM Authentication (Active Directory) on Apache (Linux)

Here is a quick guide to enabling NTLM authentication for Apache 2.
I generally use Ubuntu, so I am a heavy apt-get’er, but I prefer to build my apache from source.Here goes…

Make sure you change the ‘domain-name’ and ‘domain-controller’ to suit your environment. It is case sensitive.

Install Samba & Kerberos

apt-get install samba winbind krb5-config krb5-user smbfs

Replace /etc/krb5.conf with the following file,

--
[libdefaults]
default_realm = DOMAIN-NAME.LOCAL
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
DOMAINNAME.LOCAL = {
kdc = domain-controller.domain.local
}
[domain_realm]
.kerberos.server = DOMAIN-NAME.LOCAL
[login]
krb4_convert = true
krb4_get_tickets = false
--

Run the following;

kinit Administrator@DOMAIN-NAME.LOCAL

* This command will return nothing if successful.

Replace /etc/samba/smb.conf with the following

--
[global]
workgroup = DOMAIN-NAME
realm =
DOMAIN-NAME.LOCAL
preferred master = no
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba.log
max log size = 50
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
--

Add any shares that you want visible to your Windows uers if you wish.

/etc/init.d/samba restart

Now you can join your Windows domain. You’ll be prompted to put in the Domain Administrator password.

net ads join -U Administrator

/etc/init.d/winbind start

Edit /etc/nsswitch.conf

Replace

passwd: compat
group: compat

With

passwd: compat winbind
group: compat winbind

You can test if everything went OK with the following

wbinfo –g
wbinfo -u

Theset two commands should list all the users & groups in your Active Directory.

Install Apache

Download the latest apache source package. I assume you know how to do this.

Download mod_ntlm_winbind.zip from here. Or you can download the latest unpacked source from the Samba site.

unzip mod_ntlm_winbind.zip
cd mod_ntlm_winbind/
autoconf
./configure
ln -s mod_ntlm_winbind.c mod_auth_ntlm_winbind.c
/usr/local/apache2/bin/apxs -DAPACHE2 -c -i mod_auth_ntlm_winbind.c
make install

‘make install’ sometimes returns an error but it does complete the required tasks successfully.

Add the following into your httpd.conf


LoadModule ntlm_winbind_module modules/mod_auth_ntlm_winbind.so
<Directory />
Options FollowSymLinks Multiviews Indexes
AllowOverride All
AuthName "Authentication"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
</Directory>

I used <Directory /> as an example for NTLM authentication server wide. For example an Intranet server. But you can apply it to any directory, <Directory /var/www/some-dir>

Restart apache to finish off.

/etc/init.d/apachectl restart
Sometimes winbindd doesn’t set it’s privileges to world read able. So apache may throw an error, you may get an ‘Internal Server Error’. The following will do the trick.

chmod 777 /var/run/samba/winbindd_privileged

I like to add ‘chmod 777 /var/run/samba/winbindd_privileged’ to the /etc/rc.local or equivelant.

10 thoughts on “NTLM Authentication (Active Directory) on Apache (Linux)

  1. [...] I use this on Internet based sites with Google Analytics * It’s AJAX just doesn’t like mod_auth_ntlm or the other way [...]

  2. Hi, great article and site.

    I have a problem, file mod_ntlm_winbind.zip is not available any more.

    Is there any other site to download it?

    Thx!

  3. [...] For activating it in the apache config, follow my previous guide, NTLM Authentication (Active Directory) on Apache (Linux). [...]

  4. [...] For activating it in the apache config, follow my previous guide, NTLM Authentication (Active Directory) on Apache (Linux). [...]

  5. Chandramani Yadav

    chmod 777 /var/run/samba/winbindd_privileged makes winbind refuse to start on SUSE Enterprise Linux 11

  6. Spot on with this write-up, I actually assume this website wants much more consideration. I’ll in all probability be once more to learn much more, thanks for that info.

  7. Hi,
    I followed your guide to have SSO from AD to Apache (with mod_proxy -> Java webapp deployed in Tomcat).
    Perfect guide ;)

    But….Now I want to retrieve username (in header for examples), how can I do it?
    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>