[Samba] [Fwd: Apache auth failing for Active Directory group members]

Brian Cochrane brian at rackm0unt.org
Fri Oct 17 18:08:53 GMT 2003


I sent this message to the list yesterday, but I believe it was before I had
fully joined the list...so I'm not sure if it got through.  My apologies if
this is a repeat.



On my web server, I have a .htaccess file set up to restrict access to a
folder for specific Active Directory users.  The Active Directory domain is
imaginatively called "AD".  Using 'require user ad\brian.cochrane' in
.htaccess works great.  'require group "ad\domain users"' also works. 
However, 'require group "ad\_it"' does not work.  The user "brian.cochrane" is
a member of both the "Domain Users" and "_IT" groups.

With .htaccess configured to only allow "ad\_IT" group members, attempting to
access the secured directory as "ad\brian.cochrane" fails.  After 3 attemps I
get the usual "Authorization Required" page from Apache.
Nothing regarding the failure is logged by Apache or winbindd.  However,
/var/log/auth.log shows "pam_winbind[4145]: user 'ad\brian.cochrane' granted
access".

The winbind/samba configuration is otherwise working great.  I can restrict
access to unix files and directories for specific Active Directory users and
groups.

I have noticed that the usernames used by Apache's basic authentication
mechanism are case sensitive (even though winbind's AD to unix user/group
mapping does not appear to be), so I've tried various permutations of case in
the .htaccess file and when supplying my credentials.  Thinking the leading
underscores in the group names were causing a problem, I also added the
"brian.cochrane" user to another AD group called "test", but the results were
the same.  So far, no luck.

I have included software version and configuration details below.  If there is
more information I can provide, I'd be happy to.  I am reluctant to upgrade to
Debian/testing to see if a newer version of samba, winbind, or the Apache
auth_pam module fixes the problem, as this is a production server and downtime
is an issue.  Has anyone else had this problem?  Any known solutions?  Any
information you can provide is greatly appreciated.

Thank you,
Brian Cochrane



software version details
--------------------------------------------------
OS: Linux 2.4.18
distribution: Debian 3.0/stable
samba/winbind package: 2.2.3a-12.3
libapache-mod-auth-pam package: 1.0a-7


winbind config in /etc/samba/smb.conf
--------------------------------------------------
#winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes


/etc/pam.d/httpd
--------------------------------------------------
auth       required   /lib/security/pam_winbind.so
account    required   /lib/security/pam_winbind.so


.htaccess
--------------------------------------------------
AuthPAM_Enabled On
AuthPAM_FallThrough Off
AuthAuthoritative Off
AuthType Basic
AuthName "test"
#require group "ad\_it"
require user "ad\brian.cochrane"






More information about the samba mailing list