• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2739
  • Last Modified:

NTLM-Authorisation against AD-Groups on Apache2 with ntlm_auth

Hi to All,

we make an SLES10 Server for our Intranet. The permissions for some virtual hosts on it should be made with some AD-Groups of teh domain. I've installed  auth_ntlm_winbind_module with the apache 2 and placed some .htacces-files in the directories.
So, the authorisation with users works fine ... with groups NO CHANCE.
Can someone give me any tips hw to bring it to work!!

Best greetings

HPE


.. the .htacces file
AuthName "NTLM Authentication"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
NTLMBasicAuth on
NTLMBasicAuthoritative on
#require valid-user
require user test              <- works
#require group visitors   <- works not!
0
hpenderle
Asked:
hpenderle
  • 3
  • 2
1 Solution
 
NopiusCommented:
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of="YOUR_DOMAIN+visitors"

and try to use 'require valid-user'
0
 
hpenderleAuthor Commented:
Hi Hopius,

thanks a lot for your help ... but, the even the above entries did'nt work.

Meanwhile i tried direct calls of ntlm_auth ... with the folowing results:
 /usr/bin/ntlm_auth --username=test  --password=xxx
NT_STATUS_OK: Success (0x0)
/usr/bin/ntlm_auth --username=test --require-membership-of="DOMAIN+visitors"  --password=xxx
NT_STATUS_LOGON_FAILURE: Logon failure (0xc000006d)

... Any furtehr ideas

Thanks
HPE
0
 
hpenderleAuthor Commented:
An addition ...
The
/usr/bin/ntlm_auth --username=test --require-membership-of="DOMAIN+visitors"  --password=xxx
works on some Groups, on some NOT - not dependent of the membership of the user test to this group.

But, the authentication in the above example DID not work even when the manual ntlm_auth query returns SUCCESS.
It seems, that the '--require-membership-of=...'-option has no influence to the 'require valid-user' option.

 
0
 
NopiusCommented:
Try this: "--domain=DOMAIN --require-membership-of=visitors"
Or try to use SID of group visitors instead of name 'visitors'
0
 
NopiusCommented:
and read complete manual for ntlm_auth I don't have local copy...
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now