On Thu, Dec 10, 2015 at 04:03:21PM +0100, Olivier Bitsch wrote:
> Dear team,
This package isn't team-maintained.
> I'm currently trying to configure NTLM authentication with Apache and
> Winbind, unfortunately, the system is quite unstable. I used the same
> setup without any problem with Wheezy version. Basically, the
> authentication is working, but sometime, Apache results to a 500 error
> due to winbind fatal error.
I packaged this module as it was being used by one of my clients in a
project, but they've switched to using libapache2-mod-auth-kerb instead,
so I no longer have access to an environment where I can test the
package.
NTLM is also better avoided if you can, as the package description warns:
If you're considering using this module, you should be aware that NTLM
isn't regarded as very secure by modern standards - even Microsoft no
longer recommends its use - and where possible, you probably want to use
Kerberos with negotiate auth over https instead (see Debian package
libapache2-mod-auth-kerb).
I was thinking I should either orphan this package or request it be removed
before stretch - mostly I haven't because I'm unsure which makes more sense.
NTLM has security concerns, but AIUI negotiate auth over http (rather than
https) suffers from connection hijack issues, but I don't know how it
compares in overall security terms with NTLM if you aren't able to use
https.
I think I should probably just orphan it (which I've now done), and I can
always do a "RoQA" removal if nobody else wants to pick it up.
Anyway, I'm afraid I'm unlikely to be able to help much with this bug. The
module is mostly just glue code between apache and the /usr/bin/ntlm_auth
helper in the winbind package - the latter does the actual authentication,
so the problem may lie there.
We did find the authentication was a bit randomly flaky, though I don't
recall if the symptoms matched those you see.
Cheers,
Olly
