[Samba] Samba authentication against an NT group in Apache

Adam H. Lewenberg adamhl at uiuc.edu
Mon Feb 9 18:39:55 GMT 2004 

We would like to have our Apache Linux-based web server use our
existing NT domain to authenticate some of our web pages. We are using
the Apache module mod_auth_pam to use pam-based authentication and
then the winbind pam module to do the actual authentication.

We have gotten to the point where we can authenticate using NT
_users_, but we have not been able to authenticate using _groups_. For
example, we can restrict a web page so that only the NT user
"joeuser" can gain access to the page, but we have been unable to
configure Apache so that any user of the NT group "SpecialAccess" (of
which joeuser is a member) can gain access but no one else. 

Here is the .htaccess file we used to try to do this: 
##########################
AuthPAM_Enabled On
AuthPAM_FallThrough Off
AuthAuthoritative Off
AuthType Basic
AuthName "test"
require group "OURNTDOMAIN\SpecialAccess"
##########################

Apache generates the following error: 
##########################
[Mon Feb 02 16:20:40 2004] [crit] [client 130.126.35.93] configuration
error: couldn't check access.  No groups file?: /grouptest/index.html
##########################


Here are some more details on our setup: 
---------------------------------------
Linux Redhat Enterprise Linux 3
Samba Version 3.0.0-14.3E
Apache 2.0.46
mod_pam_auth 2.0-1.1.1


The configuration file that mod_auth_pam uses is called /etc/pam.d/httpd
and contains the lines
##########################
auth       required     /lib/security/pam_winbind.so
account    required     /lib/security/pam_winbind.so
##########################

The samba configuration file contains these lines:
##########################
[global]
workgroup = OURNTDOMAIN
encrypt passwords = yes
security = domain
password server = pdccontroller1
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes

Any ideas or suggestions are very welcome. 

Thank you. Alan L.

More information about the samba mailing list