auth_pam - not working...but why?
Nick Owen
nowen at wikidsystems.com
Mon Dec 17 22:24:07 UTC 2007
Andrew Sternick wrote:
> I am trying to get an apache/pam/smb system working happily. Samba
> swapping spit with AD and I am able to use the wbinfo and getent
> commands, and also chown/chgrp to domain accounts and groups. I am
> unsure if apache is configured correctly, but I cannot find any
> useful logging facility to help with the PAM config. I am running
> Fedora Core 6 with httpd 2.2.6.
>
>
>
> For /etc/pam.d/httpd:
>
> #%PAM-1.0
>
> auth required pam_winbind.so debug
>
> account required pam_winbind.so debug
>
>
>
> I am loading the PAM modules via the auth_pam.conf file in the
> ../conf.d directory:
>
> [root at sys01 conf.d]# more auth_pam.conf
>
> LoadModule auth_pam_module modules/mod_auth_pam.so
>
> LoadModule auth_sys_group_module modules/mod_auth_sys_group.so
>
>
>
> Here is my virtual-hosts.conf:
>
>
>
> # xx.site.com
>
> <VirtualHost 10.66.160.5>
>
> DocumentRoot /import/www.sites/xx/htdocs
>
> ServerName xx.site.com
>
> CustomLog logs/xx.site.com-access_log combined
>
> ErrorLog logs/xx.site.com-error_log
>
> <Directory /import/www.sites>
>
> AllowOverride All
>
> AuthPAM_Enabled on
>
> AuthType Basic
>
> Require valid-user
>
> AuthGROUP_FallThrough on
>
> AuthPAM_FallThrough on
>
> Options ExecCGI FollowSymLinks +Includes +Indexes
>
> IndexOptions FancyIndexing
>
> order deny,allow
>
> deny from all
>
> allow from all
>
> </Directory>
>
> </VirtualHost>
>
>
>
> Last but not least, the relevant .htaccess file:
>
> AuthUserFile …. /.htpasswd
>
> AuthGroupFile …./.htgroup
>
> AuthName ByPassword
>
> AuthType Basic
>
> AuthPAM_FallThrough on
>
> <Limit GET>
>
> require group "domain users"
>
> require user clientname
>
> </Limit>
>
>
>
> According to my calculations, now httpd should be able to use domain
> accounts to authenticate. The files in question on this webserver
> have “domain users” as the group owner and 775 permissions – this is
> not a filesystem permissions issue. At the apache authentication
> prompt, when I give a domain account “blah”, apache’s error log says
> “user blah not found”. Of course the “clientname” account works so
> Apache+PAM are the prime suspects for a configuration problem.
>
>
>
> So here is the question: is there any way to see what apache is
> doing vis a vis auth_pam? I’d like to get something more useful out
> of apache’s logging for this, but I do not know how to make that
> happen.
Not sure if this is the issue, but you might need to add
AuthBasicProvider <provider>
to your httpd.conf. Upgrading apache broke mine and I got no useful
error messages. Apache changed the way basic auth was handled somewhere
along the line. It could be the auth_pam needs an udpate too...
HTH,
nick
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
irc.freenode.net: #wikid
More information about the Pam-list
mailing list