[Samba] [SOLVED (well, the ntlmssp part)] RE: mod_ntlm_winbind / Apache2

Kevin Shanahan kmshanah at ucwb.org.au
Fri Sep 1 02:32:55 GMT 2006

On Tue, 2006-08-29 at 20:33 +0930, Kevin Shanahan wrote:
> I'm trying to set up Apache2 with mod_ntlm_winbind so our Windows users
> can log onto our Intranet automatically without having to type in their
> username / password.
> I've gotten part of the way there, but things aren't behaving the way
> I'd like/expect. So far, I've been able to log on using Firefox but only
> with the password dialog popping up, and then only if I enter my
> username as DOMAIN\username.

Okay, I found out the issue with Firefox was just a client configuration
issue. Firefox needs to have the intranet uri added to the
network.automatic-ntlm-auth.trusted-uris setting in about:config.

The issue with IE6 turned out to be Debian's mod_ssl config file
disabling keepalive for all user agents matching '.*MSIE.*'. Once that
was removed, it works fine.

> <Directory /var/www/auth-test>
>     NTLMAuth on
>     NTLMBasicAuthoritative on
>     NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
>     AuthType NTLM
>     AuthName "NTLM Authentication Test"
>     require valid-user
> </Directory>

This config is now working, but there are still problems if I add
spnego. IE6 seems to respond to the "WWW-Authenticate: Negotiate" reply
from apache with an NTLMSSP challenge. Haven't figured that one out yet.


More information about the samba mailing list