mod_ntlm_winbind question

Andrew Bartlett abartlet at
Thu Sep 30 21:51:07 GMT 2004

On Fri, 2004-10-01 at 07:40, Eric Ladner wrote:
> Do you think it would be possible to modify this module to provide group
> authentication capabilities?
> For example, to allow members of an NT group to be passed through, something
> like so:
> blah blah...
> NTLMGroup  SomeNTGroup SomeOtherNtGroup
> Require    valid-user
> That way, anybody who is a member of those two groups would get through without
> noticing the authentication, but anyone else is blocked.
> I think the smbauth mod does this, but it lacks the NTLM part for transparent
> authentication.

There are two ways this is solved.

The first is the '--require-membership-of' hack.  This is an option to
ntlm_auth, which causes the *authentication* to fail if the user isn't
in a particular group.  The idea is to avoid putting 'administrator' in
this group, and therefore avoid some of the security implications of
unlimited attacks on the admin password.

I have discussed here before extensions to ntlm_auth to make it return
user groups, for use in the authorization stage, and this in turn could
be hooked into such an Apache option.  

I'll happily take patches, otherwise I'll add it to the list (please
file a bug against ntlm_auth).


Andrew Bartlett

Andrew Bartlett                                 abartlet at
Authentication Developer, Samba Team  
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list