Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 74058 invoked from network); 25 Sep 2006 16:58:19 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 25 Sep 2006 16:58:19 -0000 Received: (qmail 22947 invoked by uid 500); 25 Sep 2006 16:58:10 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 22680 invoked by uid 500); 25 Sep 2006 16:58:09 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 22663 invoked by uid 99); 25 Sep 2006 16:58:08 -0000 Received: from idunn.apache.osuosl.org (HELO idunn.apache.osuosl.org) (140.211.166.84) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 25 Sep 2006 09:58:08 -0700 Authentication-Results: idunn.apache.osuosl.org header.from=gdwfkd@gmail.com; domainkeys=good Authentication-Results: idunn.apache.osuosl.org smtp.mail=gdwfkd@gmail.com; spf=pass X-ASF-Spam-Status: No, hits=2.5 required=5.0 tests=DNS_FROM_RFC_ABUSE,HTML_MESSAGE Received-SPF: pass (idunn.apache.osuosl.org: domain gmail.com designates 66.249.92.174 as permitted sender) DomainKey-Status: good X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 Received: from [66.249.92.174] ([66.249.92.174:53562] helo=ug-out-1314.google.com) by idunn.apache.osuosl.org (ecelerity 2.1.1.8 r(12930)) with ESMTP id 59/8C-13750-28A08154 for ; Mon, 25 Sep 2006 09:57:49 -0700 Received: by ug-out-1314.google.com with SMTP id z36so497974uge for ; Mon, 25 Sep 2006 09:57:15 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=pO29zNeLv0h01/0dt5BhxJN4cAOO3gqhJag8w2fY7/YHQ64kGuh/lajOtJXLizw+wnDGqJSf9jSAol8VMG8x8CZskfltbOR/GbL6VXyknSnxsYiDfy97UG2CqjW+MPWJGuSZ2a+Ekq48Upy9HPhSK5+21I2bZMq1HtTn6JzLQVw= Received: by 10.66.222.9 with SMTP id u9mr3553501ugg; Mon, 25 Sep 2006 09:57:14 -0700 (PDT) Received: by 10.67.22.16 with HTTP; Mon, 25 Sep 2006 09:57:14 -0700 (PDT) Message-ID: Date: Mon, 25 Sep 2006 09:57:14 -0700 From: "Jason Lingel" To: users@httpd.apache.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_40250_12302518.1159203434798" Subject: [users@httpd] Kerberos and local group authentication X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N ------=_Part_40250_12302518.1159203434798 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline I'v been able to set up Kerberos authentication to W2K AD but want to use local groups, or a list of users, as well. That is, I want users to enter their Windows user name and password and then get access only if they are listed in a local file on the apache server. Has anyone been able to do this? Setup: Solaris 8 Apache 2.0.59 krb-1.5.1 mod_auth_kerb 5.0 The httpd.conf entries below aren't my exact entries, but you get the idea. I want any user listed in groupfile to be able to access the site. I've tried to use both user and group files. Users work if specified with realm name in the httpd.conf, i.e., require user user1@COMPANY.COM. The error I get in the Apache logs (set to debug) is: configuration error: couldn't check access. No groups file?: /directory/test.html httpd.conf entries: AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate off KrbMethodK5Passwd on KrbServiceName HTTP Krb5KeyTab /etc/krb5/krb5.keytab KrbAuthRealms COMPANY.COM KrbAuthoritative on KrbVerifyKDC off KrbSaveCredentials off #AuthUserFile groupfile AuthGroupFile groupfile Require group mygroup Any help is appreciated. ------=_Part_40250_12302518.1159203434798 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline I'v been able to set up Kerberos authentication to W2K AD but want to use local groups, or a list of users, as well.  That is, I want users to enter their Windows user name and password and then get access only if they are listed in a local file on the apache server.  Has anyone been able to do this?

Setup:

Solaris 8
Apache 2.0.59
krb-1.5.1
mod_auth_kerb 5.0

The httpd.conf entries below aren't my exact entries, but you get the idea.  I want any user listed in groupfile to be able to access the site.  I've tried to use both user and group files.  Users work if specified with realm name in the httpd.conf, i.e., require user user1@COMPANY.COM.  The error I get in the Apache logs (set to debug) is:

configuration error:  couldn't check access.  No groups file?: /directory/test.html

httpd.conf entries:

    AuthType Kerberos
    AuthName "Kerberos Login"
    KrbMethodNegotiate off
    KrbMethodK5Passwd on
    KrbServiceName HTTP
    Krb5KeyTab /etc/krb5/krb5.keytab
    KrbAuthRealms COMPANY.COM
    KrbAuthoritative on
    KrbVerifyKDC off
    KrbSaveCredentials off
    #AuthUserFile groupfile
    AuthGroupFile groupfile
    Require group mygroup

Any help is appreciated. ------=_Part_40250_12302518.1159203434798--