[CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]

Tue Feb 17 21:46:44 UTC 2009
Ross Walker <rswwalker at gmail.com>

On Tue, Feb 17, 2009 at 2:59 PM, Kanwar Ranbir Sandhu
<m3freak at thesandhufamily.ca> wrote:
> On Tue, 2009-02-17 at 10:27 -0700, Joseph L. Casale wrote:
>> I haven't tried this one, but make note it lacks NTLMv2 and group support
>> which made it non usable in my environment. Like Filipe suggested
>> mod_auth_ntlm_winbind addresses this but it appears it's not actively
>> maintained and I got stuck configuring it and gave up...
>
> I believe you can use kerberos auth and group lookups.  For the group
> support, you need to do direct LDAP lookups.  Just run a google search
> for 'kerberos apache group', or something along those lines, to find
> some links discussing what I've mentioned here.

If you have a lot of hosts that need access to winbind mapped
UIDs/GIDs instead of setting up winbind everywhere and having a
administrative headache if the RID mapping gets messed up on one host,
setup a winbind to NIS server that puts the mappings into NIS maps and
propagate the information that way. Only real difference on the other
hosts is to switch 'winbind' to 'nis' in nsswitch.conf.

-Ross