when using apache mod-auth-pam with pam_winbind : no nested groups
Jonathan C. Detert
detertj at msoe.edu
Wed Nov 15 15:15:34 UTC 2006
Hello,
Configuring apache to use pam for http authentication (via apache's
mod_auth_pam module : http://pam.sourceforge.net/mod_auth_pam/),
and using pam_winbind as the module for apache, I can properly
authenticate users and enforce account authorization rules, _EXCEPT_
when access control relies on nested groups.
E.g. There are groups named IT-admin, IT-staff, and IT.
The IT group is defined as the members IT-staff and IT-admin.
I.e. IT is a nested group.
If the apache access control says:
Require IT
then nobody is able to authenticate. I have to change the access
control to say:
Require IT-admin IT-staff
in order for any of the intended people to be able to
authenticate.
However, sshd on the same server is also using pam, and also using the
pam_winbind module. The sshd server config says:
UsePAM yes
AllowGroups IT
and any member of IT-admin and IT-staff is able to autheticate and
connect via ssh.
This suggests that either there is something wrong with mod_auth_pam
that prevents nested groups from working, or that there's something
wrong with the pam config I used for apache (see below).
Any ideas how to make apache use pam, and to recognize nested groups?
Here's the pam config I used for apache:
auth required pam_winbind.so debug
account required pam_winbind.so debug
And here's the pam config I used for ssh:
auth required pam_env.so # [1]
@include common-auth
@include common-account
@include common-session
session optional pam_motd.so # [1]
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
@include common-password
Here's the contents of the common-auth file:
auth requisite pam_nologin.so debug
auth [success=1 default=ignore] pam_localuser.so
auth [success=done auth_err=bad] pam_winbind.so debug
auth required pam_unix.so nullok_secure debug
And finally, the contents of the common-account file:
account [success=1 default=ignore] pam_localuser.so
account [success=done default=bad] pam_winbind.so debug
account required pam_unix.so nullok_secure debug
--
Happy Landings,
Jon Detert
IT Systems Administrator, Milwaukee School of Engineering
1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A.
More information about the Pam-list
mailing list