[Samba] Apache auth failing for Active Directory group members

Brian Cochrane brian at rackm0unt.org
Thu Oct 16 23:09:45 GMT 2003

On my web server, I have a .htaccess file set up to restrict access to a
folder for specific Active Directory users.  The Active Directory domain is
imaginatively called "AD".  Using 'require user ad\brian.cochrane' in
.htaccess works great.  'require group "ad\domain users"' also works. 
However, 'require group "ad\_it"' does not work.  The user "brian.cochrane" is
a member of both the "Domain Users" and "_IT" groups.

With .htaccess configured to only allow "ad\_IT" group members, attempting to
access the secured directory as "ad\brian.cochrane" fails.  After 3 attemps I
get the usual "Authorization Required" page from Apache.
Nothing regarding the failure is logged by Apache or winbindd.  However,
/var/log/auth.log shows "pam_winbind[4145]: user 'ad\brian.cochrane' granted

The winbind/samba configuration is otherwise working great.  I can restrict
access to unix files and directories for specific Active Directory users and

I have noticed that the usernames used by Apache's basic authentication
mechanism are case sensitive (even though winbind's AD to unix user/group
mapping does not appear to be), so I've tried various permutations of case in
the .htaccess file and when supplying my credentials.  Thinking the leading
underscores in the group names were causing a problem, I also added the
"brian.cochrane" user to another AD group called "test", but the results were
the same.  So far, no luck.

I have included software version and configuration details below.  If there is
more information I can provide, I'd be happy to.  I am reluctant to upgrade to
Debian/testing to see if a newer version of samba, winbind, or the Apache
auth_pam module fixes the problem, as this is a production server and downtime
is an issue.  Has anyone else had this problem?  Any known solutions?  Any
information you can provide is greatly appreciated.

Thank you,
Brian Cochrane

software version details
OS: Linux 2.4.18
distribution: Debian 3.0/stable
samba/winbind package: 2.2.3a-12.3
libapache-mod-auth-pam package: 1.0a-7

winbind config in /etc/samba/smb.conf
#winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes

auth       required   /lib/security/pam_winbind.so
account    required   /lib/security/pam_winbind.so

AuthPAM_Enabled On
AuthPAM_FallThrough Off
AuthAuthoritative Off
AuthType Basic
AuthName "test"
#require group "ad\_it"
require user "ad\brian.cochrane"

More information about the samba mailing list