When setting up NTLM on openSUSE I was getting a 500 server error from Apache.
In the error log: ntlm_auth reports Broken Helper: BH NT_STATUS_ACCESS_DENIED NT_STATUS_ACCESS_DENIED
Solved with setfacl -m u:wwwrun:rx /var/lib/samba/winbindd_privileged