NTLM-Authorisation against AD-Groups on Apache2 with ntlm_auth

Hi to All,

we make an SLES10 Server for our Intranet. The permissions for some virtual hosts on it should be made with some AD-Groups of teh domain. I've installed  auth_ntlm_winbind_module with the apache 2 and placed some .htacces-files in the directories.
So, the authorisation with users works fine ... with groups NO CHANCE.
Can someone give me any tips hw to bring it to work!!

Best greetings

HPE


.. the .htacces file
AuthName "NTLM Authentication"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
NTLMBasicAuth on
NTLMBasicAuthoritative on
#require valid-user
require user test              <- works
#require group visitors   <- works not!
hpenderleAsked:
Who is Participating?
 
NopiusConnect With a Mentor Commented:
and read complete manual for ntlm_auth I don't have local copy...
0
 
NopiusCommented:
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of="YOUR_DOMAIN+visitors"

and try to use 'require valid-user'
0
 
hpenderleAuthor Commented:
Hi Hopius,

thanks a lot for your help ... but, the even the above entries did'nt work.

Meanwhile i tried direct calls of ntlm_auth ... with the folowing results:
 /usr/bin/ntlm_auth --username=test  --password=xxx
NT_STATUS_OK: Success (0x0)
/usr/bin/ntlm_auth --username=test --require-membership-of="DOMAIN+visitors"  --password=xxx
NT_STATUS_LOGON_FAILURE: Logon failure (0xc000006d)

... Any furtehr ideas

Thanks
HPE
0
 
hpenderleAuthor Commented:
An addition ...
The
/usr/bin/ntlm_auth --username=test --require-membership-of="DOMAIN+visitors"  --password=xxx
works on some Groups, on some NOT - not dependent of the membership of the user test to this group.

But, the authentication in the above example DID not work even when the manual ntlm_auth query returns SUCCESS.
It seems, that the '--require-membership-of=...'-option has no influence to the 'require valid-user' option.

 
0
 
NopiusCommented:
Try this: "--domain=DOMAIN --require-membership-of=visitors"
Or try to use SID of group visitors instead of name 'visitors'
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.