You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by John Stile <jo...@meyersound.com> on 2005/05/09 22:52:03 UTC

[users@httpd] group authentication failing with apache2mod_auth_pam and winbind

I am trying to setup apache authentication to use mod_auth_pam, winbind,
and Active Directory.   
It works for 'Require user johns'
But it fails for 'Require group developers'
The logs indicate a fail and a pass:
  ==> /var/log/apache2/access.log <==
  192.168.60.162 - - [09/May/2005:10:57:16 -0700] "GET /JOHN HTTP/1.1" 401 602 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 SUSE/1.0.3-1.1"
  192.168.60.162 - johns [09/May/2005:10:57:26 -0700] "GET /JOHN HTTP/1.1" 401 602 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 SUSE/1.0.3-1.1"
 
  ==> /var/log/apache2/error.log <==
  [Mon May 09 10:57:26 2005] [error] [client 192.168.60.162] access to /JOHN failed, reason: user johns not allowed access

  ==> /var/log/auth.log <==
  May  9 10:57:26 localhost pam_winbind[8564]: user 'johns' granted access

Winbind is working great with samba shares, and I can authenticate a
user against AD using 'wbinfo -a MS+johns%password'.  I can get a dump
of groups (and members) with 'getent group' so nsswitch is setup
correctly.

/etc/pam.d/apache2
auth            required      pam_winbind.so
account        required      pam_winbind.so

Snip from the apache config which uses AuthPAM_Enabled
        ####################
        # TESTING winbind authentication
        ####################
        <Location /JOHN>
           DAV svn
           # SVNAutoversioning on
           #AuthzSVNAccessFile /etc/apache2/dav_svn.passwd
           SVNPath /home/jstile/repo
           SVNIndexXSLT "/apache2-default/svnindex.xsl"
           AuthType Basic
           AuthName "SVN repository"
           AuthPAM_Enabled on
                   Require group 'developers'
        </Location>

Environment: 
----------------
Debian 3.0 testing
libapache2-mod-auth-pam 1.1.1-6
apache2 2.0.54-2
winbind 3.0.14a-1 
apache2 2.0.54-2

I have looked for other  posts regarding this, but they seem to be dead
ends (no solution at the end of the trail).  I've spent a few days
looking and there might be a solution somewhere among the cruft, but I
haven't found it.  

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org