You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by John Stile <jo...@meyersound.com> on 2005/05/09 22:52:03 UTC
[users@httpd] group authentication failing with apache2mod_auth_pam and winbind
I am trying to setup apache authentication to use mod_auth_pam, winbind,
and Active Directory.
It works for 'Require user johns'
But it fails for 'Require group developers'
The logs indicate a fail and a pass:
==> /var/log/apache2/access.log <==
192.168.60.162 - - [09/May/2005:10:57:16 -0700] "GET /JOHN HTTP/1.1" 401 602 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 SUSE/1.0.3-1.1"
192.168.60.162 - johns [09/May/2005:10:57:26 -0700] "GET /JOHN HTTP/1.1" 401 602 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 SUSE/1.0.3-1.1"
==> /var/log/apache2/error.log <==
[Mon May 09 10:57:26 2005] [error] [client 192.168.60.162] access to /JOHN failed, reason: user johns not allowed access
==> /var/log/auth.log <==
May 9 10:57:26 localhost pam_winbind[8564]: user 'johns' granted access
Winbind is working great with samba shares, and I can authenticate a
user against AD using 'wbinfo -a MS+johns%password'. I can get a dump
of groups (and members) with 'getent group' so nsswitch is setup
correctly.
/etc/pam.d/apache2
auth required pam_winbind.so
account required pam_winbind.so
Snip from the apache config which uses AuthPAM_Enabled
####################
# TESTING winbind authentication
####################
<Location /JOHN>
DAV svn
# SVNAutoversioning on
#AuthzSVNAccessFile /etc/apache2/dav_svn.passwd
SVNPath /home/jstile/repo
SVNIndexXSLT "/apache2-default/svnindex.xsl"
AuthType Basic
AuthName "SVN repository"
AuthPAM_Enabled on
Require group 'developers'
</Location>
Environment:
----------------
Debian 3.0 testing
libapache2-mod-auth-pam 1.1.1-6
apache2 2.0.54-2
winbind 3.0.14a-1
apache2 2.0.54-2
I have looked for other posts regarding this, but they seem to be dead
ends (no solution at the end of the trail). I've spent a few days
looking and there might be a solution somewhere among the cruft, but I
haven't found it.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org