Red Hat Bugzilla – Bug 188138
Review Request: mod_auth_ntlm_winbind - NTLM authentication for the Apache web server using winbind daemon
Last modified: 2011-09-01 11:50:15 EDT
mod_ntlm_winbind module allows authentication and authorisation over
the Web against a Windows NT/AD domain controllers, using Samba on the same
machine Apache is running on.
It uses "ntlm_auth" helper utility to operate with local winbindd(8) daemon,
which are standard parts of the Samba distribution.
The same way Squid does NTLM authentication now.
There are already various implementations of NTLM auth for both Apache1 and Apache2. Unlike that, mod_ntlm_winbind is a "Samba upstream" implementation, specially designed for this purpose.
Too long time Apache1 was supported only. Last week support for Apache2 has appeared too, therefore it is possible now to use this module in Fedora.
There is no any source tarball. All the code (three files) is placed under appropriate directory on some FTP servers. Additionally, CVS access is possible too.
There is no version yet. (Perhaps sometime in the future it can become a part of Samba distribution?). Therefore I use YYYYMMDD as a version, with epoch "0". (It is the same way as was used for mod_auth_mysql module in the past). Not sure whether it is good.
There is no any docs, all needed words are present as a comment in the config file.
- According to upstream, rename to "mod_auth_ntlm_winbind"
- Update to the latest svn source
- Add (temporary) coredumps patch by upstream co-author (will be in SVN soon too).
OK, the patch applied upstream. Update to the latest SVN source.
Note: this version works fine (at least for me :))
Upgrade to the latest SVN (Negotiate/krb5 should work now too).
Upgrade to the latest SVN (compatibility with Apache 2.2)
Add patch to fix IE6 "CONNECT HTTP/1.0" issue.
Do "chgrp apache /var/cache/samba/winbindd_privileged/" on install, or trigger
"usermod -a -G squid apache" when squid already installed (i.e. this dir has
A few initial comments (and given enough time later this week, I'll hopefully
be able to pull off a full review):
1. Drop Epoch: 0
it's not necessary, nor desired.
%post, %triggerin squid
Changing dir ownership in a scriplet is bad, especially, since the target is
owned by another package (samba-common). I can see where you're coming from
here, but in the end, it's just an unacceptable hack. Arg, on checking, it
appears squid does that same thing!
A better solution would be to ask/bug the samba maintainer to
make /var/cache/samba/winbindd_privileged group writable (owned by some group,
say, samba). Then apache and squid could simply add themselves to this group
on install. (I'll go file a bug/enhancement-request for that now...)
> Drop Epoch: 0
> A better solution would be to ask/bug the samba maintainer to
> make /var/cache/samba/winbindd_privileged group writable
Actually "group accessable", write permissions is not needed here! ;)
I would prefer to not wait for samba changes, as it can leads to some time
delay... Maybe save these ugly things "as is", at least for a while?
Note, that this permission problem can confuse the "end-user" here a lot. IMO it
is better to do these group manipulations rather than do nothing...
> I would prefer to not wait for samba changes, as it can leads to some time
> delay... Maybe save these ugly things "as is", at least for a while?
If by "for a while" you mean before package is approved, yes. (: Seriously,
imo, this is a blocker that MUST be fixed before acceptance into Extras.
Maybe don't touch /var/cache/samba/winbindd_privileged at all now, and implement
"usermod -a -G ..." just when samba/squid will implement the requested changes?
I would prefer to not wait for FC6 for this...
Sorry ... Newb problem ...
I downloaded the src rpm from above and did a
rpmbuild and rpm -i to install.... it appeared to compile
via apsx and install ok. and the files are in the right place.
I have a working samba, and squid ntlm auth works. I
have added apache to the squid group.
However this it does not seem to work for me.. Both with IE
This is a bit distressing ... as I have had it working on another
sum of my apache module ...
Does this match yours ? Did I build the rpm correctly ... I assumed the spec
file was in the source rpm ...newb question this :-) I did a rpmbuild --rebuild
I am using FC 5 Apache 2.2.2 samba version 3.0.23a-1.fc5.1
drwxr-x--- 2 root squid 4096 Aug 8 14:10 winbindd_privileged
Thanks ... log dump from apache follows
[Wed Aug 09 12:40:09 2006] [debug] mod_ntlm_winbind.c(1088): [client
10.251.20.195] doing ntlm auth dance
[Wed Aug 09 12:40:09 2006] [debug] mod_ntlm_winbind.c(529): [client
10.251.20.195] Launched ntlm_helper, pid 29040
[Wed Aug 09 12:40:09 2006] [debug] mod_ntlm_winbind.c(699): [client
10.251.20.195] creating auth user
[Wed Aug 09 12:40:09 2006] [debug] mod_ntlm_winbind.c(750): [client
10.251.20.195] parsing reply from helper to YR TlR
[2006/08/09 12:40:09, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa208b207
[Wed Aug 09 12:40:09 2006] [debug] mod_ntlm_winbind.c(788): [client
10.251.20.195] got response: TT TlRMTVNTUAACAAAAFA
[Wed Aug 09 12:40:09 2006] [debug] mod_ntlm_winbind.c(455): [client
10.251.20.195] sending back TlRMTVNTUAACAAAAFAAUAD
The log shows that the module itself works, ntlm_auth helper was invoked and
successfully connected to winbindd...
- Does your IE ask for login/password? If so, did you use "DOMAIN\user" or just
"user" for login?
- What is your "KeepAlive" parameter in /etc/httpd/conf/httpd.conf?
Anyway, try "KeepAlive on" and "MaxKeepAliveRequests 100" or another big
enough value -- but NOT zero ("0") value.
It these "two ideas" help nothing, send me (for my e-mail) your httpd.conf and
"It these" => "If these" :)
Bingo ..... Keepalive was set to OFF
Enabled it and it works great... many thanks...
BTW.. I did not change this parameter on my server....is it set to off by
default ?? Perhaps something to check on install ???
> is it set to off by default?
Yep. Atleast under Fedora. Don't know why.
The upstream have changed to the name of "auth_ntlm_winbind" completely,
introduced VERSION file and have done some fixes.
I've changed version-release scheme to VERSION-0.svnrev.X because of this.
- updates to svn release 713
- Winbind's special group is named "wbpriv" now
FYI, the naming guidelines specify a name of
The date should be in the form 20070605. Then just increment the '1' for each
update you do. (Actually the guidelines don't specify the appending of the
svnrelease, but it's been permitted elsewhere in the past.)
The important thing is that the date needs to be there.
OK, add the date into release field.
ping Rex ?... :)
This is an old one, and its really a very simple package. Let me take a look....
The URL: seems to be invalid.
W: mod_auth_ntlm_winbind mixed-use-of-spaces-and-tabs (spaces: line 13, tab:
No big deal; fix it if you like.
W: mod_auth_ntlm_winbind-debuginfo filename-too-long-for-joliet
I'm not sure there's anything you can do about this, nor do I know if this
actually causes any problems.
It's actually more useful to do "svn export" instead of "svn co" to get an
updated source tree, because it doesn't give you a bunch of useless .svn
You need a Requires(post): /usr/sbin/usermod (or shadow-utils). Frankly I'm not
sure if rpm will guarantee that apache is installed before this package so that
the %post scriptlet will actually run, and I think that should be confirmed with
an expert first. I don't have any particular issue with this package changing
the apache users' group list, however.
* source files match upstream.
I did an svn export and diffed the directories manually.
* package meets naming and versioning guidelines. (The upstream version really
* specfile is properly named, is cleanly written and uses macros consistently.
* summary is OK.
* description is OK.
* dist tag is present.
* build root is OK.
* license field matches the actual license.
* license is open source-compatible.
* license text not included upstream.
* latest version is being packaged (The SVN ID of the upstream repository is 754
as I do this review, but none of the files in this package have been chaned as
far as I can tell.)
* BuildRequires are proper.
* compiler flags are appropriate.
* %clean is present.
* package builds in mock (development, x86_64).
* package installs properly
* debuginfo package looks complete.
* rpmlint has only acceptable complaints.
* final provides and requires are sane:
config(mod_auth_ntlm_winbind) = 0.0.0-0.1.20070129svn713.fc8
mod_auth_ntlm_winbind = 0.0.0-0.1.20070129svn713.fc8
config(mod_auth_ntlm_winbind) = 0.0.0-0.1.20070129svn713.fc8
httpd >= 2.0.40
httpd-mmn = 20051115
* %check is not present; no test suite upstream. I have no means to test this
* no shared libraries are added to the regular linker search paths.
* owns the directories it creates.
* doesn't own any directories it shouldn't.
* no duplicates in %files.
* file permissions are appropriate.
* no scriptlets present.
* code, not content.
* documentation is small, so no -docs subpackage is necessary.
* %docs are not necessary for the proper functioning of the package.
* no headers.
* no pkgconfig files.
* no static libraries.
* no libtool .la files.
> The URL: seems to be invalid.
Prefer a more clean text in files rather then such a kind of pedantic :)
Never see it... Assume it will not actually affect debuginfo sub-package in the
> "svn export" instead of "svn co"
> You need a Requires(post): /usr/sbin/usermod (or shadow-utils).
Add "Rrequires(post): shadow-utils"
> not sure if rpm will guarantee that apache is installed before this package
Seems that just "requires" of httpd (and samba-common for "wbpriv" group) is
enough. Both rpm and yum first install all the "Requires", and then
mod_auth_ntlm_winbind. Just checked it out now one more time.
> SVN ID of the upstream repository is 754
I use the SVN ID and the date of the latest change of this module, this way
seems to be more clean.
Looks good to me.
New Package CVS Request
Package Name: mod_auth_ntlm_winbind
Short Description: NTLM authentication for the Apache web server using winbind
Package Change Request
Package Name: mod_auth_ntlm_winbind
New Branches: el6
Git done (by process-git-requests).