auth_pam - not working...but why?

Andrew Sternick Andrew.Sternick at aquantive.com
Mon Dec 17 22:05:10 UTC 2007 

I am trying to get an apache/pam/smb system working happily.  Samba
swapping spit with AD and I am able to use the wbinfo and getent
commands, and also chown/chgrp to domain accounts and groups.  I am
unsure if apache is configured correctly, but I cannot find any useful
logging facility to help with the PAM config.  I am running Fedora Core
6 with httpd 2.2.6.

 

For /etc/pam.d/httpd:

#%PAM-1.0

auth       required     pam_winbind.so debug

account    required     pam_winbind.so debug

 

I am loading the PAM modules via the auth_pam.conf file in the ../conf.d
directory:

[root at sys01 conf.d]# more auth_pam.conf 

LoadModule auth_pam_module modules/mod_auth_pam.so

LoadModule auth_sys_group_module modules/mod_auth_sys_group.so

 

Here is my virtual-hosts.conf:

 

# xx.site.com

<VirtualHost 10.66.160.5>

DocumentRoot /import/www.sites/xx/htdocs

ServerName xx.site.com

CustomLog logs/xx.site.com-access_log combined

ErrorLog logs/xx.site.com-error_log

<Directory /import/www.sites>

AllowOverride All

AuthPAM_Enabled on

AuthType Basic

Require valid-user

AuthGROUP_FallThrough on

AuthPAM_FallThrough on

Options ExecCGI FollowSymLinks +Includes +Indexes

IndexOptions FancyIndexing

order deny,allow

deny from all

allow from all

</Directory>

</VirtualHost>

 

Last but not least, the relevant .htaccess file:

AuthUserFile .... /.htpasswd

AuthGroupFile ..../.htgroup

AuthName ByPassword

AuthType Basic

AuthPAM_FallThrough on

<Limit GET>

require group "domain users"

require user clientname

</Limit>

 

According to my calculations, now httpd should be able to use domain
accounts to authenticate.  The files in question on this webserver have
"domain users" as the group owner and 775 permissions - this is not a
filesystem permissions issue.  At the apache authentication prompt, when
I give a domain account "blah", apache's error log says "user blah not
found".  Of course the "clientname" account works so Apache+PAM are the
prime suspects for a configuration problem.  

 

So here is the question:  is there any way to see what apache is doing
vis a vis auth_pam?  I'd  like to get something more useful out of
apache's logging for this, but I do not know how to make that happen.   

 

 

 

Andrew Sternick
System Administrator

aQuantive, a Microsoft Corporation subsidiary
Leading businesses in digital marketing.

212.798.7320 // direct
212.462.4660 // fax
www.aQuantive.com <blocked::http://www.aquantive.com/> 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20071217/24939335/attachment.htm>

More information about the Pam-list mailing list