When setting up NTLM on openSUSE I was getting a 500 server error from Apache.

In the error log: ntlm_auth reports Broken Helper: BH NT_STATUS_ACCESS_DENIED NT_STATUS_ACCESS_DENIED

Solved with setfacl -m u:wwwrun:rx /var/lib/samba/winbindd_privileged