NTLM-Authorisation against AD-Groups on Apache2 with ntlm_auth

Posted on 2007-08-07
Last Modified: 2008-09-17
Hi to All,

we make an SLES10 Server for our Intranet. The permissions for some virtual hosts on it should be made with some AD-Groups of teh domain. I've installed  auth_ntlm_winbind_module with the apache 2 and placed some .htacces-files in the directories.
So, the authorisation with users works fine ... with groups NO CHANCE.
Can someone give me any tips hw to bring it to work!!

Best greetings


.. the .htacces file
AuthName "NTLM Authentication"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
NTLMBasicAuth on
NTLMBasicAuthoritative on
#require valid-user
require user test              <- works
#require group visitors   <- works not!
Question by:hpenderle
    LVL 27

    Expert Comment

    NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of="YOUR_DOMAIN+visitors"

    and try to use 'require valid-user'

    Author Comment

    Hi Hopius,

    thanks a lot for your help ... but, the even the above entries did'nt work.

    Meanwhile i tried direct calls of ntlm_auth ... with the folowing results:
     /usr/bin/ntlm_auth --username=test  --password=xxx
    NT_STATUS_OK: Success (0x0)
    /usr/bin/ntlm_auth --username=test --require-membership-of="DOMAIN+visitors"  --password=xxx
    NT_STATUS_LOGON_FAILURE: Logon failure (0xc000006d)

    ... Any furtehr ideas


    Author Comment

    An addition ...
    /usr/bin/ntlm_auth --username=test --require-membership-of="DOMAIN+visitors"  --password=xxx
    works on some Groups, on some NOT - not dependent of the membership of the user test to this group.

    But, the authentication in the above example DID not work even when the manual ntlm_auth query returns SUCCESS.
    It seems, that the '--require-membership-of=...'-option has no influence to the 'require valid-user' option.

    LVL 27

    Expert Comment

    Try this: "--domain=DOMAIN --require-membership-of=visitors"
    Or try to use SID of group visitors instead of name 'visitors'
    LVL 27

    Accepted Solution

    and read complete manual for ntlm_auth I don't have local copy...

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
    Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
    Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now