Thanks for the update, For strange reason, the bug disappeared since I installed libapache2-mod-php5 (strange isn't?). I don't know what is related to this module, but now my authentication is working very well.
Regarding security, we use NTLM in internal network only, I already tried to use libapache2-mod-auth-kerb, but seems much more complicated to use. Anyway, thanks for your answer, I suggest this ticket can be closed. Regards. Olivier. 2016-01-08 0:16 GMT+01:00 Olly Betts <o...@survex.com>: > On Thu, Dec 10, 2015 at 04:03:21PM +0100, Olivier Bitsch wrote: > > Dear team, > > This package isn't team-maintained. > > > I'm currently trying to configure NTLM authentication with Apache and > > Winbind, unfortunately, the system is quite unstable. I used the same > > setup without any problem with Wheezy version. Basically, the > > authentication is working, but sometime, Apache results to a 500 error > > due to winbind fatal error. > > I packaged this module as it was being used by one of my clients in a > project, but they've switched to using libapache2-mod-auth-kerb instead, > so I no longer have access to an environment where I can test the > package. > > NTLM is also better avoided if you can, as the package description warns: > > If you're considering using this module, you should be aware that NTLM > isn't regarded as very secure by modern standards - even Microsoft no > longer recommends its use - and where possible, you probably want to use > Kerberos with negotiate auth over https instead (see Debian package > libapache2-mod-auth-kerb). > > I was thinking I should either orphan this package or request it be removed > before stretch - mostly I haven't because I'm unsure which makes more > sense. > NTLM has security concerns, but AIUI negotiate auth over http (rather than > https) suffers from connection hijack issues, but I don't know how it > compares in overall security terms with NTLM if you aren't able to use > https. > > I think I should probably just orphan it (which I've now done), and I can > always do a "RoQA" removal if nobody else wants to pick it up. > > Anyway, I'm afraid I'm unlikely to be able to help much with this bug. The > module is mostly just glue code between apache and the /usr/bin/ntlm_auth > helper in the winbind package - the latter does the actual authentication, > so the problem may lie there. > > We did find the authentication was a bit randomly flaky, though I don't > recall if the symptoms matched those you see. > > Cheers, > Olly >
