httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Stile <jo...@meyersound.com>
Subject [users@httpd] group authentication failing with apache2mod_auth_pam and winbind
Date Tue, 10 May 2005 01:19:44 GMT
I am trying to setup apache authentication to use:
   mod_auth_pam, winbind, and Active Directory.  
It works for 'Require user johns'
But it fails for 'Require group developers' even though johns is a
member.

The logs indicate a fail and a pass:
  ==> /var/log/apache2/access.log <==
  192.168.60.162 - - [09/May/2005:10:57:16 -0700] "GET /JOHN HTTP/1.1" 401 602 "-" "Mozilla/5.0
(X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 SUSE/1.0.3-1.1"
  192.168.60.162 - johns [09/May/2005:10:57:26 -0700] "GET /JOHN HTTP/1.1" 401 602 "-" "Mozilla/5.0
(X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 SUSE/1.0.3-1.1"
 
  ==> /var/log/apache2/error.log <==
  [Mon May 09 10:57:26 2005] [error] [client 192.168.60.162] access to /JOHN failed, reason:
user johns not allowed access

  ==> /var/log/auth.log <==
  May  9 10:57:26 localhost pam_winbind[8564]: user 'johns' granted access

Winbind is working great with samba shares, and I can authenticate a
user against AD using 'wbinfo -a MS+johns%password'.  I can get a dump
of groups (and members) with 'getent group' so nsswitch is setup
correctly.

/etc/pam.d/apache2
auth            required      pam_winbind.so
account        required      pam_winbind.so

Snip from the apache config which uses AuthPAM_Enabled
        ####################
        # TESTING winbind authentication
        ####################
        <Location /JOHN>
           DAV svn
           # SVNAutoversioning on
           #AuthzSVNAccessFile /etc/apache2/dav_svn.passwd
           SVNPath /home/jstile/repo
           SVNIndexXSLT "/apache2-default/svnindex.xsl"
           AuthType Basic
           AuthName "SVN repository"
           AuthPAM_Enabled on
                   Require group 'developers'
        </Location>

Environment: 
----------------
Debian 3.0 testing
libapache2-mod-auth-pam 1.1.1-6
apache2 2.0.54-2
winbind 3.0.14a-1 
apache2 2.0.54-2

I have looked for other  posts, but they have been dead ends (no
solution at the end of the trail).  I've spent a few days looking and
there might be a solution somewhere among the cruft, but I haven't found
it.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message