My problem was that the application, mod_pam_auth, does a pam_acct_mgmt() after it authenticates the user. Because the users I was authenticating existed only on the NT server, and because I had no "account" lines in my configuration file (pam_smb provides no account service) the default (other) "account" action would take place and fail because the users don't exist locally. Making these changes to my config file fixed me up. ################################################################### #%PAM-1.0 # auth required /lib/security/pam_smb_auth.so debug nolocal account required /lib/security/pam_permit.so ################################################################### I think this isn't too dangerous because NT will not authenticate users if the account is disabled, expired, locked out, etc.. Please let me know your opinion if you think otherwise. Thanks, - Ben On Tue, Apr 10, 2001 at 07:39:25PM -0700, Ben Johnson wrote: > Hi. > > I'm trying to get apache to authenticate users against my remote NT > server. The logs are telling me that NT is successfully authenticating > my test user but another log tells me that the user has expired. I > believe expiration error is caused by an attempt to lookup the test user > in the password file on the web server. the user does exist there but > shadow passwords are in use and apache does not have the needed access > to look at it. I don't want any user lookups to happen on the web server > at all, if that's possible. > > > here's my setup... > > #/etc/pam_smb.conf > ####################### > WORKGROUP > VPNNET > VPNNET > ####################### > > i have verified that pam_smb is working without the apache module. > > #/etc/pam.d/httpd > ################################################################ > #%PAM-1.0 > #[For version 1.0 syntax, the above header is optional] > # > # The PAM configuration file for the `httpd' service > # > > auth sufficient /lib/security/pam_smb_auth.so debug > ################################################################ > > > each time I try to authenticate via apache I get some errors in the > httpd and security log files. > > #httpd log > [Tue Apr 10 19:04:55 2001] [error] access to /manual/ failed for 192.168.3.229, reason: User account has expired > > #security log > Apr 10 19:04:55 ssldesk2 httpd: pam_smb: Local UNIX username/password check incorrect. > Apr 10 19:04:55 ssldesk2 httpd: pam_smb: Configuration Data, Primary VPNNET, Backup VPNNET, Domain WORKGROUP. > Apr 10 19:04:55 ssldesk2 httpd: pam_smb: Correct NT username/password pair > > > so it looks like the local username/password lookup is causing an > authentication failure, even though pam_smb is succeeding. What am I > doing wrong? I know I must be doing something stupid. > > Thanks for any help. > > - Ben > > > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list
