[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

apache with pam/samba, failing because "User account has expired":pam_acct_mgmt



On Thu, 29 Apr 1999, James Sinnamon wrote:


> 4. Created the following /etc/pam.d/httpd file :

>    auth   required  /lib/security/pam_smb_auth.so debug

> ... this indicates that I have been authenticated by the NT PDC,
> however I still get the 'authorization failed' message.  When I examined
> the error_log file, I saw the following message:

>     httpd: [Thu Apr 29 17:52:01 1999] [error] access to /test/ failed for \
>     139.96.38.159, reason: User account has expired

> >From examining mod_auth_pam.c, I gather that a call to
> pam_authenticate() has succeeded, but the subsequent call to
> pam_acct_mgmt() has failed.

> ... does anyone out there know what is going on here? Is there
> anything that I can do at the Linux end to fix this, or does something need
> to be done with the NT Domain Controllers?

If the call to pam_acct_mgmt() is failing, what's probably happening is that
pam is falling back to /lib/security/pam_deny.so on this call, which will of
course always fail.  The solution is to add another line to your
/etc/pam.d/httpd file that looks like this:

	account required /lib/security/pam_permit.so

So that the accounting check always succeeds.  If there is any account
management you need the system to do (you could optionally check that there is
a valid unix account for the username on your server, for added security), you
could use a module other than pam_permit.so--just so long as you use something
that will return success when it's supposed to :)

I haven't worked with mod_auth_pam, so I don't know what calls it makes, but
many PAM applications will also try to call the session management functions
if the auth and accounting portions check out.  If this is the case with
mod_auth_pam, you'll need to add a similar 'session' line to your pam.d file.

-Steve Langasek
postmodern programmer



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []