[Samba] apache, apache's mod-auth-pam,
and pam_winbind : no nested groups
Jonathan C. Detert
detertj at msoe.edu
Mon Nov 13 19:56:12 GMT 2006
this problem might be more to do with apache than winbind, but I'll
start here anyway...
Problem: can't get apache httpauth to work with nested groups, though
ssh auth (also using pam) to same box does
Config:
--------------------------------------------------------
software: apache 2.0.55, libapache2-mod-auth-pam 1.1.1, and winbind 3.0.22
pertinent apache config:
AuthPAM_Enabled on
AuthPAM_FallThrough off
AuthGROUP_Enabled on
LoadModule auth_pam_module
LoadModule auth_sys_group_module
pertinent winbind config:
winbind nested groups = yes
security = ADS
/etc/pam.d/apache2:
auth sufficient pam_winbind.so debug
auth required pam_unix.so nullok_secure debug
account sufficient pam_unix_acct.so debug
account required pam_winbind.so debug
.htaccess file:
AuthName SDLplanRealm
AuthType Basic
require group sdl
--------------------------------------------------------
Symptoms:
---------
/var/log/auth.log winbbindd entries say :
pam_winbind[29410]: user 'detertj' granted access
but /var/log/apache2/ssl_error_log entries say:
GROUP: detertj not in required group(s).
Conclusion:
-----------
any suggestions as to what to try, where to look, next? Thanks
--
Happy Landings,
Jon Detert
IT Systems Administrator, Milwaukee School of Engineering
1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A.
More information about the samba
mailing list