I discovered the initial problem. For some odd reason apache needs read access to /etc/shadow when using mod_auth_pam. Strange. (I guess this is a known issue) Anyways ... I've now got another problem. Everything works well except for that when I use a supplementary group in "require group blah" in .htaccess ... authentication fails. Lets say JeffL's primary group is "Domain Users" ... if I do require group "Domain Users" authentication works flawlessly ... but ... if I use "Domains Admins" ... which is one of JeffL's supplementary groups ... I get something like: [Mon Sep 22 15:37:09 2003] [error] [client 10.11.13.155] GROUP: JeffL not in required group(s)., referer: http://meeting-lido/ And apache keeps asking me for authentication until it gives up. My LoadModule statements in httpd.conf look like this: LoadModule auth_pam_module modules/mod_auth_pam.so LoadModule auth_sys_group_module modules/mod_auth_sys_group.so Again, any help is appreciated. Thanks, Jeff |---------+----------------------------> | | Jeff Lopes | | | | | | 09/22/2003 10:58 | | | AM | | | | |---------+----------------------------> >---------------------------------------------------------------------------------------------------------------------------------------------| | | | To: pam-list@xxxxxxxxxx | | cc: | | Subject: Problem with apache, winbind, and mod_auth_pam. | >---------------------------------------------------------------------------------------------------------------------------------------------| My ultimate goal is to be able to use an Active Directory to authenticate users in Apache 2.0. My setup is as follows: Redhat 9.0 - Kernel 2.4.20 Apache 2.0.40 (the RH9 RPM) Samba 3.0 RC4 (the RPM provided by the samba group) The latest version of mod_auth_pam for Apache 2.0 from http://pam.sf.net/mod_auth_pam Winbind is setup correctly ... I have joined the domain and I am able to list users and groups with both wbinfo and net ads. Also, I am able to use wbinfo -a to test user authentication. My /etc/pam.d/httpd looks like this: #%PAM-1.0 auth required /lib/security/pam_winbind.so account required /lib/security/pam_winbind.so The relevant portion of /etc/samba/smb.conf looks like this: winbind separator = + winbind cache time = 10 template shell = /bin/bash template homedir = /home/%D/%U idmap uid = 10000-20000 idmap gid = 10000-20000 password server = {myprimarydomaincontroller} winbind enum users = yes winbind enum groups = yes winbind use default domain = yes realm = {myactivedirectorydomain} security = ads encrypt passwords = yes And the .htaccess file in the protected directory looks like this: AuthPAM_Enabled On AuthPAM_FallThrough Off AuthAuthoritative Off AuthType Basic AuthName "secure area" require user JeffL When I browse to the protected portion of the site I am prompted for authentication, as expected. When I enter my domain username and password I get a 401 (Authentication Required) page from Apache. In /var/log/messages I see: Sep 22 10:51:23 meeting-lido pam_winbind[9529]: user 'JeffL' granted acces But in /var/log/httpd/error_log I see: [Mon Sep 22 10:51:23 2003] [error] [client 10.11.13.155] PAM: user 'JeffL' - invalid account: User not known to the underlying authentication module This is the part I cannot figure out. It looks as if apache is using pam correctly, and pam is also able to contact the winbind service to authenticate. The problems appears to be somewhere in the mod_auth_pam module when it gets it's response from pam. Any help would be greatly appreciated. If there is any additional info I can provide about the configuration, please ask. Thanks, Jeff Lopes _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
