[Samba] Samba authentication against an NT group in Apache
PIGNOL, Christian
christian_pignol at merck.com
Wed Mar 10 14:44:58 GMT 2004
Hi,
I have exactly the same problem with my web server ...
Linux/redhat 9.0 / kernel 2.4.20-20.9.1 (+ Acl patches)
Samba 3.0.2a / compiles with winbind and Acl options
Apache 2.0.40 / with mod_auth_pam 2.xx included
Authentication to samba share from a windows workstation using Acl + winbind
+ "Nt domain groups" works fine.
But I gave some problems when I want to use NT domain groups to restrict web
access to web directory ... only single user autorization works fine but ...
never with a domain group ...
Note that single authorization works fine but in sensitive case mode ...
If I specify "require group MyDomain\MyUser" in the ".htaccess" file, I MUST
exactly type "MyDomain\MyUser" on the keyboard when the identification box
appears ! It doesn't work if type "mydomain\myuser" !
Do you have solved your problem or found an acceptable solution to use
domain groups ?
Thanks a lot for your help.
Christian PIGNOL
-----Original Message-----
From: samba-bounces+christian_pignol=merck.com at lists.samba.org
[mailto:samba-bounces+christian_pignol=merck.com at lists.samba.org] On Behalf
Of Adam H. Lewenberg
Sent: lundi 9 février 2004 19:40
To: samba at lists.samba.org
Subject: [Samba] Samba authentication against an NT group in Apache
We would like to have our Apache Linux-based web server use our
existing NT domain to authenticate some of our web pages. We are using
the Apache module mod_auth_pam to use pam-based authentication and
then the winbind pam module to do the actual authentication.
We have gotten to the point where we can authenticate using NT
_users_, but we have not been able to authenticate using _groups_. For
example, we can restrict a web page so that only the NT user
"joeuser" can gain access to the page, but we have been unable to
configure Apache so that any user of the NT group "SpecialAccess" (of
which joeuser is a member) can gain access but no one else.
Here is the .htaccess file we used to try to do this:
##########################
AuthPAM_Enabled On
AuthPAM_FallThrough Off
AuthAuthoritative Off
AuthType Basic
AuthName "test"
require group "OURNTDOMAIN\SpecialAccess"
##########################
Apache generates the following error:
##########################
[Mon Feb 02 16:20:40 2004] [crit] [client 130.126.35.93] configuration
error: couldn't check access. No groups file?: /grouptest/index.html
##########################
Here are some more details on our setup:
---------------------------------------
Linux Redhat Enterprise Linux 3
Samba Version 3.0.0-14.3E
Apache 2.0.46
mod_pam_auth 2.0-1.1.1
The configuration file that mod_auth_pam uses is called /etc/pam.d/httpd
and contains the lines
##########################
auth required /lib/security/pam_winbind.so
account required /lib/security/pam_winbind.so
##########################
The samba configuration file contains these lines:
##########################
[global]
workgroup = OURNTDOMAIN
encrypt passwords = yes
security = domain
password server = pdccontroller1
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
Any ideas or suggestions are very welcome.
Thank you. Alan L.
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
------------------------------------------------------------------------------
Notice: This e-mail message, together with any attachments, contains information of Merck & Co., Inc. (One Merck Drive, Whitehouse Station, New Jersey, USA 08889), and/or its affiliates (which may be known outside the United States as Merck Frosst, Merck Sharp & Dohme or MSD and in Japan as Banyu) that may be confidential, proprietary copyrighted and/or legally privileged. It is intended solely for the use of the individual or entity named on this message. If you are not the intended recipient, and have received this message in error, please notify us immediately by reply e-mail and then delete it from your system.
------------------------------------------------------------------------------
More information about the samba
mailing list