auth_pam - not working...but why?

Nick Owen nowen at wikidsystems.com
Mon Dec 17 22:24:07 UTC 2007 

Andrew Sternick wrote:
> I am trying to get an apache/pam/smb system working happily.  Samba 
> swapping spit with AD and I am able to use the wbinfo and getent 
> commands, and also chown/chgrp to domain accounts and groups.  I am 
> unsure if apache is configured correctly, but I cannot find any
> useful logging facility to help with the PAM config.  I am running
> Fedora Core 6 with httpd 2.2.6.
> 
> 
> 
> For /etc/pam.d/httpd:
> 
> #%PAM-1.0
> 
> auth       required     pam_winbind.so debug
> 
> account    required     pam_winbind.so debug
> 
> 
> 
> I am loading the PAM modules via the auth_pam.conf file in the
> ../conf.d directory:
> 
> [root at sys01 conf.d]# more auth_pam.conf
> 
> LoadModule auth_pam_module modules/mod_auth_pam.so
> 
> LoadModule auth_sys_group_module modules/mod_auth_sys_group.so
> 
> 
> 
> Here is my virtual-hosts.conf:
> 
> 
> 
> # xx.site.com
> 
> <VirtualHost 10.66.160.5>
> 
> DocumentRoot /import/www.sites/xx/htdocs
> 
> ServerName xx.site.com
> 
> CustomLog logs/xx.site.com-access_log combined
> 
> ErrorLog logs/xx.site.com-error_log
> 
> <Directory /import/www.sites>
> 
> AllowOverride All
> 
> AuthPAM_Enabled on
> 
> AuthType Basic
> 
> Require valid-user
> 
> AuthGROUP_FallThrough on
> 
> AuthPAM_FallThrough on
> 
> Options ExecCGI FollowSymLinks +Includes +Indexes
> 
> IndexOptions FancyIndexing
> 
> order deny,allow
> 
> deny from all
> 
> allow from all
> 
> </Directory>
> 
> </VirtualHost>
> 
> 
> 
> Last but not least, the relevant .htaccess file:
> 
> AuthUserFile …. /.htpasswd
> 
> AuthGroupFile …./.htgroup
> 
> AuthName ByPassword
> 
> AuthType Basic
> 
> AuthPAM_FallThrough on
> 
> <Limit GET>
> 
> require group "domain users"
> 
> require user clientname
> 
> </Limit>
> 
> 
> 
> According to my calculations, now httpd should be able to use domain 
> accounts to authenticate.  The files in question on this webserver
> have “domain users” as the group owner and 775 permissions – this is
> not a filesystem permissions issue.  At the apache authentication
> prompt, when I give a domain account “blah”, apache’s error log says
> “user blah not found”.  Of course the “clientname” account works so
> Apache+PAM are the prime suspects for a configuration problem.
> 
> 
> 
> So here is the question:  is there any way to see what apache is
> doing vis a vis auth_pam?  I’d  like to get something more useful out
> of apache’s logging for this, but I do not know how to make that
> happen.

Not sure if this is the issue, but you might need to add

AuthBasicProvider <provider>

to your httpd.conf. Upgrading apache broke mine and I got no useful
error messages.  Apache changed the way basic auth was handled somewhere
along the line.  It could be the auth_pam needs an udpate too...

HTH,

nick


-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
irc.freenode.net: #wikid

More information about the Pam-list mailing list