Hello, Configuring apache to use pam for http authentication (via apache's mod_auth_pam module : http://pam.sourceforge.net/mod_auth_pam/), and using pam_winbind as the module for apache, I can properly authenticate users and enforce account authorization rules, _EXCEPT_ when access control relies on nested groups. E.g. There are groups named IT-admin, IT-staff, and IT. The IT group is defined as the members IT-staff and IT-admin. I.e. IT is a nested group. If the apache access control says: Require IT then nobody is able to authenticate. I have to change the access control to say: Require IT-admin IT-staff in order for any of the intended people to be able to authenticate. However, sshd on the same server is also using pam, and also using the pam_winbind module. The sshd server config says: UsePAM yes AllowGroups IT and any member of IT-admin and IT-staff is able to autheticate and connect via ssh. This suggests that either there is something wrong with mod_auth_pam that prevents nested groups from working, or that there's something wrong with the pam config I used for apache (see below). Any ideas how to make apache use pam, and to recognize nested groups? Here's the pam config I used for apache: auth required pam_winbind.so debug account required pam_winbind.so debug And here's the pam config I used for ssh: auth required pam_env.so # [1] @include common-auth @include common-account @include common-session session optional pam_motd.so # [1] session optional pam_mail.so standard noenv # [1] session required pam_limits.so @include common-password Here's the contents of the common-auth file: auth requisite pam_nologin.so debug auth [success=1 default=ignore] pam_localuser.so auth [success=done auth_err=bad] pam_winbind.so debug auth required pam_unix.so nullok_secure debug And finally, the contents of the common-account file: account [success=1 default=ignore] pam_localuser.so account [success=done default=bad] pam_winbind.so debug account required pam_unix.so nullok_secure debug -- Happy Landings, Jon Detert IT Systems Administrator, Milwaukee School of Engineering 1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A. _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list