[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

FW: apache with pam/samba, failing because "User account has expired": pam_acct_mgmt

Dear Pam Users/Developers,

(Firstly, thanks for the suggestion, Steve).  Using
/lib/security/pam_permit.so does
allow access to the page, but it does not seem to be a very elegant solution
for the following reasons:

1.  The user is prompted twice for her/his password
2.  I get '[ermerg]' level messages in .../apache/logs/error_log, which
    seems to indicate that httpd is not very happy about this sort of

Firstly, here is the file /etc/pam.d/httpd :

   auth    required        /lib/security/pam_smb_auth.so debug
   account required        /lib/security/pam_allow.so

...  and here are the messages:

/var/log/secure :

   Apr 30 14:44:01 turing httpd: pam_smb: Correct NT username/password pair

.../apache/logs/error_log :

   httpd: [Fri Apr 30 14:44:01 1999] [error] access to /test failed for \, reason: User account has expired

Anyhow, I may have to live with this, but if anyone else out there has
any other ideas about how users might be able to log onto a web site
and only have to enter their NT domain userid and password only once,
I am still interested.

Thanks again for the response.


James Sinnamon

On Thu, 29 Apr 1999, James Sinnamon wrote:

> 4. Created the following /etc/pam.d/httpd file :

>    auth   required  /lib/security/pam_smb_auth.so debug

> ... this indicates that I have been authenticated by the NT PDC,
> however I still get the 'authorization failed' message.  When I examined
> the error_log file, I saw the following message:

>     httpd: [Thu Apr 29 17:52:01 1999] [error] access to /test/ failed for
>, reason: User account has expired

> >From examining mod_auth_pam.c, I gather that a call to
> pam_authenticate() has succeeded, but the subsequent call to
> pam_acct_mgmt() has failed.

> ... does anyone out there know what is going on here? Is there
> anything that I can do at the Linux end to fix this, or does something
> to be done with the NT Domain Controllers?

On 30 Apr, Steve Langasek wrote:

If the call to pam_acct_mgmt() is failing, what's probably happening is that
pam is falling back to /lib/security/pam_deny.so on this call, which will of
course always fail.  The solution is to add another line to your
/etc/pam.d/httpd file that looks like this:

	account required /lib/security/pam_permit.so

So that the accounting check always succeeds.  If there is any account
management you need the system to do (you could optionally check that there
a valid unix account for the username on your server, for added security),
could use a module other than pam_permit.so--just so long as you use
that will return success when it's supposed to :)

I haven't worked with mod_auth_pam, so I don't know what calls it makes, but
many PAM applications will also try to call the session management functions
if the auth and accounting portions check out.  If this is the case with
mod_auth_pam, you'll need to add a similar 'session' line to your pam.d

-Steve Langasek
postmodern programmer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []