You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Felix Collins <fe...@keyghost.com> on 2005/01/27 21:55:56 UTC
[users@httpd] Has anyone seen this string: "couldn't check access. No groups file?"
Hi,
I am having a peculiar problem with mod_sspi configuration (Apache 2 on
win2K). I have everything working fine with the config shown at the end
of the post. When I try "SSPIOmitDomain On" I run into problems.
For my Subversion config using mod_authz_svn SSPIOmitDomain works fine.
All of a sudden my SVN users no longer need to have the DOMAIN\ in
front of their user name. However, for the Trac locations (\project\) I
get the following message showing up in the log.
"configuration error: couldn't check access. No groups file?:
/projects/myproject"
I'm not sure what is generating this message. I do not have mod_auth
loaded, only mod_authz_svn and mod_auth_sspi.
I searched on google for the phrase "couldn't check access. No groups
file?" and got a hand full of hits, mainly on user mailing lists of
various projects using Apache. No one seemed to have resolved the
problem or even worked out what was generating the message.
I searched for the string in the code of an older version of
mod_auth_sspi (I don't have the source for the one I'm using but it
should be substantially the same) and found nothing.
I checked out the source for Apache and searched for the string there,
again nothing.
Questions:
1.Does anyone know where this message might be coming from?
2.Does anyone know why my Trac locations stop working when
"SSPIOmitDomain On" is put in my config?
3.Can anyone point me to an explanation of how different mod_auth
modules work together? I read the docs-2.0/howto/auth.html page but
this only cover mod_auth and not how it works.
Thanks for any help, unfortunately I'm an Apache newbie...
Felix
Extracts from httpd.conf follow...
------------MODULES LOADED-------------
LoadModule access_module modules/mod_access.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule imap_module modules/mod_imap.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule ssl_module modules/mod_ssl.so
#Modules for subversion
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
# sspi_auth_module loaded to allow NTDomain auth
LoadModule sspi_auth_module modules/mod_auth_sspi.so
------------CONFIG FOR SVN AND TRAC LOCATIONS------------
#######################################################
#Subversion repositories location configuration
<Location /repos>
Dav svn
SVNParentPath D:/repos
#NT Domain auth config
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
SSPIOmitDomain On
AuthName "Subversion repository"
AuthzSVNAccessFile "C:\Program Files\Apache
Group\Apache2\conf\svnaccessfile.txt"
Require valid-user
</Location>
#######################################################
#Trac - issue tracking configuration
<Directory "C:\python23\share\trac\htdocs">
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory "C:\python23\share\trac\htdocs\css">
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Alias /trac/htdocs C:\python23\share\trac\htdocs
Alias /trac/htdocs/css C:\python23\share\trac\htdocs\css
#######################################################
RewriteEngine On
RewriteRule ^/projects+/*$ d:\\maker\\index.html [L]
RewriteCond d:\\tracdb\\$1 -d
RewriteRule ^/projects/([[:alnum:]]+)(/?.*)
c:\\Python23\\share\\trac\\cgi-bin\\trac.cgi$2
[S=1,E=TRAC_ENV:d:\\tracdb\\$1]
RewriteRule ^/projects/(.*) d:\\maker\\index.html
<Location "/projects">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
AddHandler cgi-script .cgi
Order allow,deny
Allow from all
#NT Domain auth config
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
# SSPIOmitDomain On
Require group INTRANEL\Keyghost INTRANEL\Intranel
</Location>
<Directory "C:\Python23\share\trac\cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
AddHandler cgi-script .cgi
Order allow,deny
Allow from all
</Directory>
<Directory "d:\maker">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
AddHandler cgi-script .cgi
Order allow,deny
Allow from all
#NT Domain auth config
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
# SSPIOmitDomain On
Require group INTRANEL\Keyghost INTRANEL\Intranel
</Directory>
alias /maker d:\maker
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Has anyone seen this string: "couldn't check access.
No groups file?"
Posted by Felix Collins <fe...@keyghost.com>.
Joshua Slive wrote:
> be "authoritative" for authentication, and therefore authentication is
> falling through. I thought that the error message was improved in
> later versions. What exact version are you using?
That is very useful information! Thanks. I'm running 2.0.49
> You may be able to fix the problem by loading mod_auth. It might fix
> the problem even if you don't use it directly. But that is just a
> guess. The root of the problem is probably in your other auth
> modules.
I'll play around with it.
> And by the way, your config file should use forward slashes
> everywhere, not back-slashes.
>
I just noticed a comment on that in the documentation. Will fix. Why
does it work with \ at all? Is that requirement just for future
compatibility?
Cheers,
Felix
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Has anyone seen this string: "couldn't check access. No groups file?"
Posted by Joshua Slive <js...@gmail.com>.
On Fri, 28 Jan 2005 09:55:56 +1300, Felix Collins <fe...@keyghost.com> wrote:
> Hi,
> I am having a peculiar problem with mod_sspi configuration (Apache 2 on
> win2K). I have everything working fine with the config shown at the end
> of the post. When I try "SSPIOmitDomain On" I run into problems.
I have no clue about SSPI, but the error message in the subject line
is, if I remember correctly, an indication that nobody is claiming to
be "authoritative" for authentication, and therefore authentication is
falling through. I thought that the error message was improved in
later versions. What exact version are you using?
You may be able to fix the problem by loading mod_auth. It might fix
the problem even if you don't use it directly. But that is just a
guess. The root of the problem is probably in your other auth
modules.
> 3.Can anyone point me to an explanation of how different mod_auth
> modules work together? I read the docs-2.0/howto/auth.html page but
> this only cover mod_auth and not how it works.
Look at the AuthAuthoritative and other related directives.
And by the way, your config file should use forward slashes
everywhere, not back-slashes.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org