OVERVIEW The mod_auth_ntlm_winbind module provides authentication and authorisation over the web against a Microsoft Windows NT/2000/XP or Samba Domain Controller using Samba's winbind daemon running on the same machine Apache 1.x or 2.x is running on. Used only by IE and newer versions of the Mozilla browser family, the NTLM over HTTP protocol is completed undocumented by Microsoft but has been reverse engineered and described at the following URL: http://davenport.sf.net/ntlm.html INSTALLATION The configure.in script and Makefile are essentially wrappers around apxs, which should be able to do all the work by itself. Having said that, the build/install process should simply be a matter of: $ autoconf $ ./configure $ make $ sudo make install The configure script will attempt to locate apxs and httpd. It will prefer apxs2 to apxs, and will use the httpd it finds to determine whether it is building for Apache 1 or Apache 2. You can override the detected settings using --with-apxs=/path/to/apxs and --with-httpd=/path/to/httpd In the event that the configure/Make combination doesn't work, you should be able to do: [Apache 1.x] $ apxs -c -i mod_auth_ntlm_winbind.c [Apache 2.x] $ apxs -DAPACHE2 -c -i mod_auth_ntlm_winbind.c (substitute apxs2 as appropriate) CONFIGURATION mod_auth_ntlm_winbind uses the same ntlm_auth helper as the Squid proxy, so the same setup applies as for Squid: the winbindd_privileged directory must be accessible by the webserver userid. The configuration directives added by this module are as follows: NTLMAuth set to 'on' to activate NTLM authentication NegotiateAuth set to 'on' to activate Negotiate authentication NTLMBasicAuthoritative set to 'off' to allow access control to be passed along to lower modules if the UserID is not known to this module NTLMBasicAuth set to 'on' to activate Basic authentication (for non-NTLM browsers) NTLMBasicRealm Realm to use for Basic authentication NTLMAuthHelper Location and arguments to the Samba ntlm_auth utility for NTLM auth NegotiateAuthHelper Location and arguments to the Samba ntlm_auth utility for Negotiate auth PlaintextAuthHelper Location and arguments to the Samba ntlm_auth utility for Plaintext auth The following httpd.conf configuration describes an example configuration for this module: NTLM authentication: AuthName "NTLM Authentication thingy" NTLMAuth on NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" NTLMBasicAuthoritative on AuthType NTLM require valid-user or, to enable 'NTLM+Negotiate' authentication too: AuthName "NTLM Authentication thingy" NTLMAuth on NegotiateAuth on NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego" NTLMBasicAuthoritative on AuthType NTLM AuthType Negotiate require valid-user To debug what is going on, add the following line to your httpd.conf to enable debug messages to be written to the apache error log file: LogLevel debug