RE: [users@httpd] repeated authentication requests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Just an idea - use "normal" authentication (use AuthUserFile - see docs for details) and see if it works. That will eliminate an apache config problem and clearly identify PAM as the culprit...

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

> -----Original Message-----
> From: Barham, David [mailto:barhamd@xxxxxxx]
> Sent: Dienstag, 8. November 2005 12:52
> To: users@xxxxxxxxxxxxxxxx
> Subject: RE: [users@httpd] repeated authentication requests
> 
> 
> Usual document root is /var/www/html. I wanted to do the 
> testing somewhere else and /tmp/{my user} seemed like a good idea.
> 
> Usually on for the first time I go to the secure pages after 
> starting a browser I get a 401 on the first page. Then, when 
> I authenticate I typically get a number of images down. Then, 
> if I go to another page I get a further 401, usually on the 
> first image to be loaded onto the page. However it is not 
> consistent and appears to happen pretty random. The 200 is 
> appearing as I went back to a page.
> 
> I have just noticed that in the access_log in these 
> circumstances I see
>  
> [Tue Nov 08 11:46:56 2005] [info] (104)Connection reset by 
> peer: core_output_filter: writing data to the network
> [Tue Nov 08 11:46:56 2005] [error] [client 134.244.154.125] 
> PAM: user 'barhamd' - not authenticated: Authentication 
> failure, referer: http://cbrlux13/secure/teams/bodyshop/PSB_Menu.htm
> [Tue Nov 08 11:46:56 2005] [error] [client 134.244.154.125] 
> PAM: user 'barhamd' - not authenticated: Authentication 
> failure, referer: http://cbrlux13/secure/teams/bodyshop/PSB_Menu.htm
> [Tue Nov 08 11:46:56 2005] [info] (104)Connection reset by 
> peer: core_output_filter: writing data to the network
> [Tue Nov 08 11:46:56 2005] [info] (104)Connection reset by 
> peer: core_output_filter: writing data to the network
> [Tue Nov 08 11:47:08 2005] [info] (104)Connection reset by 
> peer: core_output_filter: writing data to the network
> 
> So it looks like PAM is somehow failing to authenticate 
> against the DC. 
> 
> David
> 
> -----Original Message-----
> From: Boyle Owen [mailto:Owen.Boyle@xxxxxxx] 
> Sent: 08 November 2005 11:39
> To: users@xxxxxxxxxxxxxxxx
> Subject: RE: [users@httpd] repeated authentication requests
> 
> 
> 
> > -----Original Message-----
> > From: Barham, David [mailto:barhamd@xxxxxxx]
> 
> > Alias /tmp/barhamd "/tmp/barhamd/"
> 
> What is the point of this directive?
> Is /tmp/barhamd/ the full path to a directory?
> 
> 
> > My /var/log/httpd/access_log shows
> > 134.244.154.125 - barhamd [08/Nov/2005:09:36:33 +0000] "GET 
> > /tmp/barhamd/ HTTP/1
> > .1" 200 769 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 
> > NT 5.1; SV1; .NET CL
> > R 1.1.4322)"
> > 134.244.154.125 - barhamd [08/Nov/2005:09:36:33 +0000] "GET 
> > /tmp/barhamd/2.jpg H
> > TTP/1.1" 401 476 "http://cbrlux13/tmp/barhamd/"; "Mozilla/4.0 
> 
> I don't understand your URLs... http://cbrlux13/tmp/barhamd/ 
> implies that you have Docroot set to "/" - is that so?
> 
> Also, why do you get a 200 on the first hit to GET 
> /tmp/barhamd/ ? You should get a 401 here so the browser 
> prompts for credentials.
> 
> Restart  the browser and try again.
> 
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored. 
> 
> > (compatible; MSIE 6
> > .0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
> > 134.244.154.125 - barhamd [08/Nov/2005:09:36:33 +0000] "GET 
> > /tmp/barhamd/1.jpg H
> > TTP/1.1" 200 1043 "http://cbrlux13/tmp/barhamd/"; "Mozilla/4.0 
> > (compatible; MSIE
> > 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
> > 134.244.154.125 - barhamd [08/Nov/2005:09:36:33 +0000] "GET 
> > /tmp/barhamd/3.jpg H
> > TTP/1.1" 200 1316 "http://cbrlux13/tmp/barhamd/"; "Mozilla/4.0 
> > (compatible; MSIE
> > 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
> > 134.244.154.125 - barhamd [08/Nov/2005:09:36:33 +0000] "GET 
> > /tmp/barhamd/4.jpg H
> > TTP/1.1" 200 1248 "http://cbrlux13/tmp/barhamd/"; "Mozilla/4.0 
> > (compatible; MSIE
> > 
> > And after re-entering my username/password ---
> > 
> > 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
> > 134.244.154.125 - barhamd [08/Nov/2005:09:36:36 +0000] "GET 
> > /tmp/barhamd/2.jpg H
> > TTP/1.1" 200 1339 "http://cbrlux13/tmp/barhamd/"; "Mozilla/4.0 
> > (compatible; MSIE
> > 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
> > 
> > The html for index.html is 
> > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
> > <HTML>
> > <HEAD>
> > <TITLE>Home Page</TITLE>
> > </HEAD>
> > 
> > <P>
> > <CENTER>
> > <TABLE BORDER=0 CELLSPACING=4 CELLPADDING=2>
> > <TR ALIGN=left>
> >         <TD><A HREF="one.htm"><IMG BORDER=0 SRC="1.jpg"></A></TD>
> > </TR>
> > <TR ALIGN=left>
> >         <TD><A HREF="two.htm"><IMG BORDER=0 SRC="2.jpg"></A></TD>
> > </TR>
> > <TR ALIGN=left>
> >         <TD><A HREF="three.htm"><IMG BORDER=0 SRC="3.jpg"></A></TD>
> > </TR>
> > <TR ALIGN=left>
> >         <TD><A HREF="four.htm"><IMG BORDER=0 SRC="4.jpg"></A></TD>
> > </TR>
> > </TABLE>
> > </CENTER>
> > 
> > </BODY>
> > </HTML>
> > 
> > 
> > Sorry page is not public so can't allow access.
> > 
> > Thanks
> > David Barham
> > 
> > -----Original Message-----
> > From: Boyle Owen [mailto:Owen.Boyle@xxxxxxx] 
> > Sent: 08 November 2005 07:38
> > To: users@xxxxxxxxxxxxxxxx
> > Subject: RE: [users@httpd] repeated authentication requests
> > 
> > Plain text please...
> > 
> > First, what does "...from a windows AD" mean? Are you 
> > accessing the page via apache or locally via the filesystem?
> > 
> > Regarding the problem;
> > - how is your protected realm configured? (don't post the 
> > whole config - just the relevant section)
> > - do you have more than one realm?
> > - what is the path to the images (are they in the same dir 
> > are the page or a separate image dir)?
> > - is the image dir also a protected realm?
> > - are there any redirect rules in force?
> > 
> > Confusing behaviour like this can arise if you happen to nest 
> > realms (eg, /dir1 is a realm and then you configure 
> > /dir1/subdir as a realm also) or if you redirect resources 
> > from one realm to another parallel realm.
> > 
> > Is the page on the public internet? Can we have a look?
> > 
> > Rgds,
> > Owen Boyle
> > Disclaimer: Any disclaimer attached to this message may be ignored. 
> > 
> > -----Original Message-----
> > From: Barham, David [mailto:barhamd@xxxxxxx]
> > Sent: Montag, 7. November 2005 19:08
> > To: users@xxxxxxxxxxxxxxxx
> > Subject: [users@httpd] repeated authentication requests
> > 
> > 
> > I'm running Apache 2.0.52 on RHEL 2 (EM64T)
> > I've installed mod_auth_pam and have got the user 
> > authentication working correctly from a windows AD.
> > However, I'm finding that I'm getting asked to 
> > re-authenticate multiple times.
> >  
> > In a simple example I might get a page index.html with 
> > multiple images. The index.html downloads but then the next 
> > entry in the httpd log is a 401 for image1.gif. My browser 
> > prompts (again) for username/password but even while it is 
> > waiting for a response I see GETs for image2.gif, image3.gif etc.
> >  
> > If I cancel the username/password dialog box and then refresh 
> > the browser I get the gif which was missing the first time 
> > around but this time get the 401 on a different image. It 
> > seems to always be the second GET which causes this.
> >  
> > Has anyone seen this?
> >  
> > Thanks
> > David Barham
> > 
> > Diese E-mail ist eine private und persönliche Kommunikation. 
> > Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der 
> > SWX Gruppe. This e-mail is of a private and personal nature. 
> > It is not related to the exchange or business activities of 
> > the SWX Group. Le présent e-mail est un message privé et 
> > personnel, sans rapport avec l'activité boursière du Groupe SWX.
> >  
> >  
> > This message is for the named person's use only. It may 
> > contain confidential, proprietary or legally privileged 
> > information. No confidentiality or privilege is waived or 
> > lost by any mistransmission. If you receive this message in 
> > error, please notify the sender urgently and then immediately 
> > delete the message and any copies of it from your system. 
> > Please also immediately destroy any hardcopies of the 
> > message. You must not, directly or indirectly, use, disclose, 
> > distribute, print, or copy any part of this message if you 
> > are not the intended recipient. The sender's company reserves 
> > the right to monitor all e-mail communications through their 
> > networks. Any views expressed in this message are those of 
> > the individual sender, except where the message states 
> > otherwise and the sender is authorised to state them to be 
> > the views of the sender's company.
> > 
> > 
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP 
> > Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> >    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> > 
> > 
> > 
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP 
> > Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> >    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> > 
> > 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux