when using apache mod-auth-pam with pam_winbind : no nested groups

Jonathan C. Detert detertj at msoe.edu
Wed Nov 15 15:15:34 UTC 2006 

Hello,

Configuring apache to use pam for http authentication (via apache's
mod_auth_pam module : http://pam.sourceforge.net/mod_auth_pam/),
and using pam_winbind as the module for apache, I can properly
authenticate users and enforce account authorization rules, _EXCEPT_
when access control relies on nested groups.

E.g.  There are groups named IT-admin, IT-staff, and IT.
      The IT group is defined as the members IT-staff and IT-admin.
      I.e. IT is a nested group.
      If the apache access control says:
      
                Require IT

      then nobody is able to authenticate.  I have to change the access
      control to say:

                Require IT-admin IT-staff

      in order for any of the intended people to be able to
      authenticate.

However, sshd on the same server is also using pam, and also using the
pam_winbind module.  The sshd server config says:

                UsePAM yes
                AllowGroups IT

and any member of IT-admin and IT-staff is able to autheticate and
connect via ssh.

This suggests that either there is something wrong with mod_auth_pam
that prevents nested groups from working, or that there's something
wrong with the pam config I used for apache (see below).

Any ideas how to make apache use pam, and to recognize nested groups?

Here's the pam config I used for apache:
        auth required pam_winbind.so debug
        account required pam_winbind.so debug

And here's the pam config I used for ssh:
        auth       required     pam_env.so # [1]
        @include common-auth
        @include common-account
        @include common-session

        session    optional     pam_motd.so # [1]
        session    optional     pam_mail.so standard noenv # [1]
        session    required     pam_limits.so

        @include common-password

Here's the contents of the common-auth file:
        auth    requisite       pam_nologin.so debug
        auth    [success=1 default=ignore]    pam_localuser.so
        auth    [success=done auth_err=bad]   pam_winbind.so debug
        auth    required        pam_unix.so nullok_secure debug

And finally, the contents of the common-account file:
        account    [success=1 default=ignore]    pam_localuser.so
        account    [success=done default=bad]   pam_winbind.so debug
        account         required        pam_unix.so nullok_secure debug
-- 
Happy Landings,

Jon Detert
IT Systems Administrator, Milwaukee School of Engineering
1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A.

More information about the Pam-list mailing list