Andrew Sternick wrote: > I am trying to get an apache/pam/smb system working happily. Samba > swapping spit with AD and I am able to use the wbinfo and getent > commands, and also chown/chgrp to domain accounts and groups. I am > unsure if apache is configured correctly, but I cannot find any > useful logging facility to help with the PAM config. I am running > Fedora Core 6 with httpd 2.2.6. > > > > For /etc/pam.d/httpd: > > #%PAM-1.0 > > auth required pam_winbind.so debug > > account required pam_winbind.so debug > > > > I am loading the PAM modules via the auth_pam.conf file in the > ../conf.d directory: > > [root@sys01 conf.d]# more auth_pam.conf > > LoadModule auth_pam_module modules/mod_auth_pam.so > > LoadModule auth_sys_group_module modules/mod_auth_sys_group.so > > > > Here is my virtual-hosts.conf: > > > > # xx.site.com > > <VirtualHost 10.66.160.5> > > DocumentRoot /import/www.sites/xx/htdocs > > ServerName xx.site.com > > CustomLog logs/xx.site.com-access_log combined > > ErrorLog logs/xx.site.com-error_log > > <Directory /import/www.sites> > > AllowOverride All > > AuthPAM_Enabled on > > AuthType Basic > > Require valid-user > > AuthGROUP_FallThrough on > > AuthPAM_FallThrough on > > Options ExecCGI FollowSymLinks +Includes +Indexes > > IndexOptions FancyIndexing > > order deny,allow > > deny from all > > allow from all > > </Directory> > > </VirtualHost> > > > > Last but not least, the relevant .htaccess file: > > AuthUserFile …. /.htpasswd > > AuthGroupFile …./.htgroup > > AuthName ByPassword > > AuthType Basic > > AuthPAM_FallThrough on > > <Limit GET> > > require group "domain users" > > require user clientname > > </Limit> > > > > According to my calculations, now httpd should be able to use domain > accounts to authenticate. The files in question on this webserver > have “domain users” as the group owner and 775 permissions – this is > not a filesystem permissions issue. At the apache authentication > prompt, when I give a domain account “blah”, apache’s error log says > “user blah not found”. Of course the “clientname” account works so > Apache+PAM are the prime suspects for a configuration problem. > > > > So here is the question: is there any way to see what apache is > doing vis a vis auth_pam? I’d like to get something more useful out > of apache’s logging for this, but I do not know how to make that > happen. Not sure if this is the issue, but you might need to add AuthBasicProvider <provider> to your httpd.conf. Upgrading apache broke mine and I got no useful error messages. Apache changed the way basic auth was handled somewhere along the line. It could be the auth_pam needs an udpate too... HTH, nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication irc.freenode.net: #wikid _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
