[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Problem with apache, winbind, and mod_auth_pam.

I discovered the initial problem. For some odd reason apache needs read
access to /etc/shadow when using mod_auth_pam. Strange. (I guess this is a
known issue)

Anyways ... I've now got another problem. Everything works well except for
that when I use a supplementary group in "require group blah" in .htaccess
... authentication fails.

Lets say JeffL's primary group is "Domain Users" ... if I do require group
"Domain Users" authentication works flawlessly ... but ... if I use
"Domains Admins" ... which is one of JeffL's supplementary groups ... I get
something like:

[Mon Sep 22 15:37:09 2003] [error] [client] GROUP: JeffL not
in required group(s)., referer: http://meeting-lido/

And apache keeps asking me for authentication until it gives up.

My LoadModule statements in httpd.conf look like this:

LoadModule auth_pam_module modules/mod_auth_pam.so
LoadModule auth_sys_group_module modules/mod_auth_sys_group.so

Again, any help is appreciated.



|         |           Jeff Lopes       |
|         |                            |
|         |           09/22/2003 10:58 |
|         |           AM               |
|         |                            |
  |                                                                                                                                             |
  |       To:       pam-list redhat com                                                                                                         |
  |       cc:                                                                                                                                   |
  |       Subject:  Problem with apache, winbind, and mod_auth_pam.                                                                             |

My ultimate goal is to be able to use an Active Directory to authenticate
users in Apache 2.0.

My setup is as follows:

Redhat 9.0 - Kernel 2.4.20
Apache 2.0.40 (the RH9 RPM)
Samba 3.0 RC4 (the RPM provided by the samba group)
The latest version of mod_auth_pam for Apache 2.0 from

Winbind is setup correctly ... I have joined the domain and I am able to
list users and groups with both wbinfo and net ads. Also, I am able to use
wbinfo -a to test user authentication.

My /etc/pam.d/httpd looks like this:
auth required /lib/security/pam_winbind.so
account required /lib/security/pam_winbind.so

The relevant portion of /etc/samba/smb.conf looks like this:
winbind separator = +
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/%D/%U
idmap uid = 10000-20000
idmap gid = 10000-20000
password server = {myprimarydomaincontroller}
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
realm = {myactivedirectorydomain}
security = ads
encrypt passwords = yes

And the .htaccess file in the protected directory looks like this:
AuthPAM_Enabled On
AuthPAM_FallThrough Off
AuthAuthoritative Off
AuthType Basic
AuthName "secure area"
require user JeffL

When I browse to the protected portion of the site I am prompted for
authentication, as expected. When I enter my domain username and password I
get a 401 (Authentication Required) page from Apache.

In /var/log/messages I see:
Sep 22 10:51:23 meeting-lido pam_winbind[9529]: user 'JeffL' granted acces

But in /var/log/httpd/error_log I see:
[Mon Sep 22 10:51:23 2003] [error] [client] PAM: user 'JeffL'
- invalid account: User not known to the underlying authentication module

This is the part I cannot figure out. It looks as if apache is using pam
correctly, and pam is also able to contact the winbind service to
authenticate. The problems appears to be somewhere in the mod_auth_pam
module when it gets it's response from pam.

Any help would be greatly appreciated. If there is any additional info I
can provide about the configuration, please ask.


Jeff Lopes

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]