Index: mod_auth_ntlm_winbind.c
===================================================================
--- mod_auth_ntlm_winbind.c	(revision 713)
+++ mod_auth_ntlm_winbind.c	(working copy)
@@ -683,6 +683,8 @@
     /* Pipe to helper */
     snprintf(args_to_helper, HUGE_STRING_LEN, "%s %s\n", message_type, client_msg);
 
+    RDEBUG(">> %s", args_to_helper);
+
 #ifdef APACHE2
     bytes_written = strlen( args_to_helper );
     apr_file_write( auth_helper->proc->in, args_to_helper, &bytes_written );
@@ -700,7 +702,6 @@
 #ifdef APACHE2
     apr_file_flush( auth_helper->proc->in );
 
-    RDEBUG( "parsing reply from helper to %s", args_to_helper );
 
     if ( apr_file_gets(args_from_helper, HUGE_STRING_LEN, auth_helper->proc->out ) == APR_SUCCESS ) {
         bytes_read = strlen( args_from_helper );
@@ -738,36 +739,54 @@
         *newline = '\0';
     }
 
-    RDEBUG( "got response: %s", args_from_helper );
+    RDEBUG( "<< %s", args_from_helper );
 
     /* inspect message type */
 
     childarg = strchr(args_from_helper, ' ');
-    if (childarg == NULL) {
-        RERROR( errno, "failed to parse response from helper");
+    if (childarg != NULL) {
+        *childarg++ = '\0';
+    }
+
+    if (strcmp(args_from_helper, "BH") == 0) {
+
+        if (childarg) {
+            RERROR( APR_EGENERAL, "ntlm_auth reports: helper busted (%s)", childarg);
+        } else {
+            RERROR( APR_EGENERAL, "ntlm_auth reports: helper busted");
+        }
+
         apr_pool_destroy(auth_helper->pool);
         apr_pool_destroy(ctxt->connected_user_authenticated->pool);
 
         return HTTP_INTERNAL_SERVER_ERROR;
-    }
-    childarg++;
 
-    if (strcasecmp(auth_type, NTLM_AUTH_NAME) == 0) {
+    } else if (strcasecmp(auth_type, NTLM_AUTH_NAME) == 0) {
+
+        /* There must be other args */
+        if (childarg == NULL) {
+            RERROR( errno, "failed to parse response from helper");
+            apr_pool_destroy(auth_helper->pool);
+            apr_pool_destroy(ctxt->connected_user_authenticated->pool);
+
+            return HTTP_INTERNAL_SERVER_ERROR;
+        }
+
         /* if TT, send to client */
 
-        if (strncmp(args_from_helper, "TT ", 3) == 0) {
+        if (strcmp(args_from_helper, "TT") == 0) {
             return send_auth_reply(r, auth_type, childarg);
         }
 
         /* if NA, not authenticated */
 
-        if (strncmp(args_from_helper, "NA ", 3) == 0) {
+        if (strcmp(args_from_helper, "NA") == 0) {
             RDEBUG("user not authenticated: %s", childarg);
             return note_auth_failure(r, NULL);
         }
 
         /* if AF, record username */
-        if (strncmp(args_from_helper, "AF ", 3) == 0) {
+        if (strcmp(args_from_helper, "AF") == 0) {
             ctxt->connected_user_authenticated->user =
                 apr_pstrdup(ctxt->connected_user_authenticated->pool,
                             childarg);
@@ -787,8 +806,18 @@
                     ctxt->connected_user_authenticated->user );
             return OK;
         }
+
     } else if (strcasecmp(auth_type, NEGOTIATE_AUTH_NAME) == 0) {
 
+        /* There must be other args */
+        if (childarg == NULL) {
+            RERROR( errno, "failed to parse response from helper");
+            apr_pool_destroy(auth_helper->pool);
+            apr_pool_destroy(ctxt->connected_user_authenticated->pool);
+
+            return HTTP_INTERNAL_SERVER_ERROR;
+        }
+
     /* The child's reply contains 3 parts:
        - The code: TT, AF or NA
        - The blob to send to the client, coded in base64
@@ -811,19 +840,19 @@
 
         /* if TT, send to client */
 
-        if (strncmp(args_from_helper, "TT ", 3) == 0) {
+        if (strcmp(args_from_helper, "TT") == 0) {
             return send_auth_reply(r, auth_type, childarg);
         }
 
         /* if NA, not authenticated */
 
-        if (strncmp(args_from_helper, "NA ", 3) == 0) {
+        if (strcmp(args_from_helper, "NA") == 0) {
             RDEBUG("user not authenticated: %s", childarg3);
             return note_auth_failure(r, childarg);
         }
 
         /* if AF, record username */
-        if (strncmp(args_from_helper, "AF ", 3) == 0) {
+        if (strcmp(args_from_helper, "AF") == 0) {
             ctxt->connected_user_authenticated->user =
                 apr_pstrdup(ctxt->connected_user_authenticated->pool,
                             childarg3);
@@ -853,14 +882,8 @@
 
     /* Helper failed */
 
-    /* if BH, helper is busted */
+    RERROR( APR_EGENERAL, "could not parse %s helper callback", auth_type);
 
-    if (strncmp(args_from_helper, "BH ", 3) == 0) {
-        RERROR( APR_EGENERAL, "ntlm_auth reports Broken Helper: %s", args_from_helper);
-    } else {
-        RERROR( APR_EGENERAL, "could not parse %s helper callback: %s", auth_type, args_from_helper);
-    }
-
     apr_pool_destroy(auth_helper->pool);
     apr_pool_destroy(ctxt->connected_user_authenticated->pool);
 
Index: README
===================================================================
--- README	(revision 713)
+++ README	(working copy)
@@ -27,7 +27,7 @@
 prefer apxs2 to apxs, and will use the httpd it finds to determine
 whether it is building for Apache 1 or Apache 2. You can override the
 detected settings using --with-apxs=/path/to/apxs and
---with-httpd=/path/to/httpd
+--with-apache=/path/to/httpd
 
 In the event that the configure/Make combination doesn't work, you
 should be able to do: