Bug 188138 - Review Request: mod_auth_ntlm_winbind - NTLM authentication for the Apache web server using winbind daemon
Review Request: mod_auth_ntlm_winbind - NTLM authentication for the Apache we...
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jason Tibbitts
Fedora Package Reviews List
Depends On: 198251
  Show dependency treegraph
Reported: 2006-04-06 08:03 EDT by Dmitry Butskoy
Modified: 2011-09-01 11:50 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-06-22 10:10:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
tibbs: fedora‑review+
limburgher: fedora‑cvs+

Attachments (Terms of Use)

  None (edit)
Description Dmitry Butskoy 2006-04-06 08:03:31 EDT
Spec: http://dmitry.butskoy.name/mod_ntlm_winbind/mod_ntlm_winbind.spec
SRPM: http://dmitry.butskoy.name/mod_ntlm_winbind/mod_ntlm_winbind-20060328-1.spec

mod_ntlm_winbind module allows authentication and authorisation over
the Web against a Windows NT/AD domain controllers, using Samba on the same
machine Apache is running on.
It uses "ntlm_auth" helper utility to operate with local winbindd(8) daemon,
which are standard parts of the Samba distribution.

The same way Squid does NTLM authentication now.

Additional info:
There are already various implementations of NTLM auth for both Apache1 and Apache2. Unlike that, mod_ntlm_winbind is a "Samba upstream" implementation, specially designed for this purpose.

Too long time Apache1 was supported only. Last week support for Apache2 has appeared too, therefore it is possible now to use this module in Fedora.

There is no any source tarball. All the code (three files) is placed under appropriate directory on some FTP servers. Additionally, CVS access is possible too.

There is no version yet. (Perhaps sometime in the future it can become a part of Samba distribution?). Therefore I use YYYYMMDD as a version, with epoch "0". (It is the same way as was used for mod_auth_mysql module in the past). Not sure whether it is good.

There is no any docs, all needed words are present as a comment in the config file.
Comment 2 Dmitry Butskoy 2006-04-17 11:43:39 EDT
- According to upstream, rename to "mod_auth_ntlm_winbind"
- Update to the latest svn source
- Add (temporary) coredumps patch by upstream co-author (will be in SVN soon too).

Comment 3 Dmitry Butskoy 2006-04-19 08:15:58 EDT
OK, the patch applied upstream. Update to the latest SVN source.

Note: this version works fine (at least for me :))


Comment 4 Dmitry Butskoy 2006-04-24 07:51:04 EDT
Upgrade to the latest SVN (Negotiate/krb5 should work now too).


Comment 5 Dmitry Butskoy 2006-05-11 09:57:12 EDT
Upgrade to the latest SVN (compatibility with Apache 2.2)


Comment 6 Dmitry Butskoy 2006-07-10 09:57:20 EDT
Add patch to fix IE6 "CONNECT HTTP/1.0" issue.
Do "chgrp apache /var/cache/samba/winbindd_privileged/" on install, or trigger
"usermod -a -G squid apache" when squid already installed (i.e. this dir has
group "squid").


Comment 7 Rex Dieter 2006-07-10 12:06:44 EDT
A few initial comments (and given enough time later this week, I'll hopefully 
be able to pull off a full review):

1.  Drop Epoch: 0
it's not necessary, nor desired.

2. Yuck, 
%post, %triggerin squid
Changing dir ownership in a scriplet is bad, especially, since the target is 
owned by another package (samba-common).  I can see where you're coming from 
here, but in the end, it's just an unacceptable hack.  Arg, on checking, it 
appears squid does that same thing!

A better solution would be to ask/bug the samba maintainer to 
make /var/cache/samba/winbindd_privileged group writable (owned by some group, 
say, samba).  Then apache and squid could simply add themselves to this group 
on install.  (I'll go file a bug/enhancement-request for that now...)
Comment 8 Dmitry Butskoy 2006-07-10 12:48:17 EDT
> Drop Epoch: 0

> A better solution would be to ask/bug the samba maintainer to 
> make /var/cache/samba/winbindd_privileged group writable
Actually "group accessable", write permissions is not needed here! ;)

I would prefer to not wait for samba changes, as it can leads to some time
delay... Maybe save these ugly things "as is", at least for a while?
Note, that this permission problem can confuse the "end-user" here a lot. IMO it
is better to do these group manipulations rather than do nothing...

Comment 9 Rex Dieter 2006-07-10 12:51:57 EDT
> I would prefer to not wait for samba changes, as it can leads to some time
> delay... Maybe save these ugly things "as is", at least for a while?

If by "for a while" you mean before package is approved, yes.  (:  Seriously, 
imo, this is a blocker that MUST be fixed before acceptance into Extras.
Comment 10 Dmitry Butskoy 2006-07-25 08:11:26 EDT
Maybe don't touch /var/cache/samba/winbindd_privileged at all now, and implement
"usermod -a -G ..." just when samba/squid will implement the requested changes?

I would prefer to not wait for FC6 for this...
Comment 11 Peter de Groot 2006-08-09 00:46:39 EDT
Sorry ... Newb problem ... 
I downloaded the src rpm from above and did a
rpmbuild and rpm -i to install.... it appeared to compile 
via apsx and install ok. and the files are in the right place.

I have a working samba, and squid ntlm auth works.  I 
have added apache to the squid group.

However this it does not seem to work for me.. Both with IE 

This is a bit distressing ... as I have had it working on another

sum of my apache module ... 

sum mod_auth_ntlm_winbind.so
15693    16

Does this match yours ?  Did I build the rpm correctly ... I assumed the spec
file was in the source rpm ...newb question this :-)  I did a rpmbuild --rebuild

I am using FC 5  Apache 2.2.2  samba version 3.0.23a-1.fc5.1

drwxr-x--- 2 root squid   4096 Aug  8 14:10 winbindd_privileged

Thanks ... log dump from apache follows
[Wed Aug 09 12:40:09 2006] [debug] mod_ntlm_winbind.c(1088): [client] doing ntlm auth dance
[Wed Aug 09 12:40:09 2006] [debug] mod_ntlm_winbind.c(529): [client] Launched ntlm_helper, pid 29040
[Wed Aug 09 12:40:09 2006] [debug] mod_ntlm_winbind.c(699): [client] creating auth user
[Wed Aug 09 12:40:09 2006] [debug] mod_ntlm_winbind.c(750): [client] parsing reply from helper to YR TlR
[2006/08/09 12:40:09, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0xa208b207
[Wed Aug 09 12:40:09 2006] [debug] mod_ntlm_winbind.c(788): [client] got response: TT TlRMTVNTUAACAAAAFA
[Wed Aug 09 12:40:09 2006] [debug] mod_ntlm_winbind.c(455): [client] sending back TlRMTVNTUAACAAAAFAAUAD
Comment 12 Dmitry Butskoy 2006-08-09 08:02:08 EDT
The log shows that the module itself works, ntlm_auth helper was invoked and
successfully connected to winbindd...

Some ideas:
- Does your IE ask for login/password? If so, did you use "DOMAIN\user" or just
"user" for login?
- What is your "KeepAlive" parameter in /etc/httpd/conf/httpd.conf? 
  Anyway, try "KeepAlive on" and "MaxKeepAliveRequests 100" or another big
enough value -- but NOT zero ("0") value.

It these "two ideas" help nothing, send me (for my e-mail) your httpd.conf and
/etc/httpd/conf.d/ntlm_winbind.conf ...
Comment 13 Dmitry Butskoy 2006-08-09 08:03:38 EDT
"It these" => "If these" :)
Comment 14 Peter de Groot 2006-08-09 21:17:09 EDT
Bingo ..... Keepalive was set to OFF
Enabled it and it works great... many thanks...

BTW..  I did not change this parameter on my server....is it set to off by
default ?? Perhaps something to check on install ???

Thanks again
Comment 15 Dmitry Butskoy 2006-08-10 06:04:52 EDT
> is it set to off by default?
Yep. Atleast under Fedora. Don't know why.
Comment 16 Dmitry Butskoy 2006-12-21 10:55:33 EST
The upstream have changed to the name of "auth_ntlm_winbind" completely,
introduced VERSION file and have done some fixes.

I've changed version-release scheme to VERSION-0.svnrev.X because of this.


Comment 17 Dmitry Butskoy 2007-03-26 09:46:33 EDT
- updates to svn release 713
- Winbind's special group is named "wbpriv" now


Comment 18 Jason Tibbitts 2007-06-05 19:04:40 EDT
FYI, the naming guidelines specify a name of
The date should be in the form 20070605.  Then just increment the '1' for each
update you do.  (Actually the guidelines don't specify the appending of the
svnrelease, but it's been permitted elsewhere in the past.)
The important thing is that the date needs to be there.
Comment 20 Jason Tibbitts 2007-06-19 23:55:52 EDT
This is an old one, and its really a very simple package.  Let me take a look....

The URL: seems to be invalid.
rpmlint says:
   W: mod_auth_ntlm_winbind mixed-use-of-spaces-and-tabs (spaces: line 13, tab: 
      line 1)
No big deal; fix it if you like.

   W: mod_auth_ntlm_winbind-debuginfo filename-too-long-for-joliet 
I'm not sure there's anything you can do about this, nor do I know if this
actually causes any problems.

It's actually more useful to do "svn export" instead of "svn co" to get an
updated source tree, because it doesn't give you a bunch of useless .svn

You need a Requires(post): /usr/sbin/usermod (or shadow-utils).  Frankly I'm not
sure if rpm will guarantee that apache is installed before this package so that
the %post scriptlet will actually run, and I think that should be confirmed with
an expert first.  I don't have any particular issue with this package changing
the apache users' group list, however.

* source files match upstream.
  I did an svn export and diffed the directories manually.
* package meets naming and versioning guidelines.  (The upstream version really 
  is 0.0.0.)
* specfile is properly named, is cleanly written and uses macros consistently.
* summary is OK.
* description is OK.
* dist tag is present.
* build root is OK.
* license field matches the actual license.
* license is open source-compatible.
* license text not included upstream.
* latest version is being packaged (The SVN ID of the upstream repository is 754 
  as I do this review, but none of the files in this package have been chaned as 
  far as I can tell.)
* BuildRequires are proper.
* compiler flags are appropriate.
* %clean is present.
* package builds in mock (development, x86_64).
* package installs properly
* debuginfo package looks complete.
* rpmlint has only acceptable complaints.
* final provides and requires are sane:
   config(mod_auth_ntlm_winbind) = 0.0.0-0.1.20070129svn713.fc8
   mod_auth_ntlm_winbind = 0.0.0-0.1.20070129svn713.fc8
   config(mod_auth_ntlm_winbind) = 0.0.0-0.1.20070129svn713.fc8
   httpd >= 2.0.40
   httpd-mmn = 20051115
* %check is not present; no test suite upstream.  I have no means to test this 
* no shared libraries are added to the regular linker search paths.
* owns the directories it creates.
* doesn't own any directories it shouldn't.
* no duplicates in %files.
* file permissions are appropriate.
* no scriptlets present.
* code, not content.
* documentation is small, so no -docs subpackage is necessary.
* %docs are not necessary for the proper functioning of the package.
* no headers.
* no pkgconfig files.
* no static libraries.
* no libtool .la files.
Comment 21 Dmitry Butskoy 2007-06-20 09:19:34 EDT
> The URL: seems to be invalid.
Yep, fixed.

> mixed-use-of-spaces-and-tabs
Prefer a more clean text in files rather then such a kind of pedantic :)
> filename-too-long-for-joliet
Never see it... Assume it will not actually affect debuginfo sub-package in the
final repository.

> "svn export" instead of "svn co"
Done, thanks.
> You need a Requires(post): /usr/sbin/usermod (or shadow-utils).
Add "Rrequires(post): shadow-utils"
> not sure if rpm will guarantee that apache is installed before this package
Seems that just "requires" of httpd (and samba-common for "wbpriv" group) is
enough. Both rpm and yum first install all the "Requires", and then
mod_auth_ntlm_winbind. Just checked it out now one more time.

> SVN ID of the upstream repository is 754
I use the SVN ID and the date of the latest change of this module, this way
seems to be more clean.


Comment 22 Jason Tibbitts 2007-06-20 12:49:41 EDT
Looks good to me.

Comment 23 Dmitry Butskoy 2007-06-21 06:52:41 EDT
New Package CVS Request
Package Name: mod_auth_ntlm_winbind
Short Description: NTLM authentication for the Apache web server using winbind
Owners: dmitry@butskoy.name
Branches: F7
Comment 24 Kevin Fenzi 2007-06-21 22:10:47 EDT
cvs done.
Comment 25 Dmitry Butskoy 2011-09-01 11:28:53 EDT
Package Change Request
Package Name: mod_auth_ntlm_winbind
New Branches: el6
Owners: buc
Comment 26 Gwyn Ciesla 2011-09-01 11:50:15 EDT
Git done (by process-git-requests).

Note You need to log in before you can comment on or make changes to this bug.