auth_pam - not working...but why?
Andrew Sternick
Andrew.Sternick at aquantive.com
Mon Dec 17 22:05:10 UTC 2007
I am trying to get an apache/pam/smb system working happily. Samba
swapping spit with AD and I am able to use the wbinfo and getent
commands, and also chown/chgrp to domain accounts and groups. I am
unsure if apache is configured correctly, but I cannot find any useful
logging facility to help with the PAM config. I am running Fedora Core
6 with httpd 2.2.6.
For /etc/pam.d/httpd:
#%PAM-1.0
auth required pam_winbind.so debug
account required pam_winbind.so debug
I am loading the PAM modules via the auth_pam.conf file in the ../conf.d
directory:
[root at sys01 conf.d]# more auth_pam.conf
LoadModule auth_pam_module modules/mod_auth_pam.so
LoadModule auth_sys_group_module modules/mod_auth_sys_group.so
Here is my virtual-hosts.conf:
# xx.site.com
<VirtualHost 10.66.160.5>
DocumentRoot /import/www.sites/xx/htdocs
ServerName xx.site.com
CustomLog logs/xx.site.com-access_log combined
ErrorLog logs/xx.site.com-error_log
<Directory /import/www.sites>
AllowOverride All
AuthPAM_Enabled on
AuthType Basic
Require valid-user
AuthGROUP_FallThrough on
AuthPAM_FallThrough on
Options ExecCGI FollowSymLinks +Includes +Indexes
IndexOptions FancyIndexing
order deny,allow
deny from all
allow from all
</Directory>
</VirtualHost>
Last but not least, the relevant .htaccess file:
AuthUserFile .... /.htpasswd
AuthGroupFile ..../.htgroup
AuthName ByPassword
AuthType Basic
AuthPAM_FallThrough on
<Limit GET>
require group "domain users"
require user clientname
</Limit>
According to my calculations, now httpd should be able to use domain
accounts to authenticate. The files in question on this webserver have
"domain users" as the group owner and 775 permissions - this is not a
filesystem permissions issue. At the apache authentication prompt, when
I give a domain account "blah", apache's error log says "user blah not
found". Of course the "clientname" account works so Apache+PAM are the
prime suspects for a configuration problem.
So here is the question: is there any way to see what apache is doing
vis a vis auth_pam? I'd like to get something more useful out of
apache's logging for this, but I do not know how to make that happen.
Andrew Sternick
System Administrator
aQuantive, a Microsoft Corporation subsidiary
Leading businesses in digital marketing.
212.798.7320 // direct
212.462.4660 // fax
www.aQuantive.com <blocked::http://www.aquantive.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20071217/24939335/attachment.htm>
More information about the Pam-list
mailing list