[Samba] apache, apache's mod-auth-pam, and pam_winbind : no nested groups

Jonathan C. Detert detertj at msoe.edu
Mon Nov 13 19:56:12 GMT 2006

this problem might be more to do with apache than winbind, but I'll
start here anyway...

Problem: can't get apache httpauth to work with nested groups, though
         ssh auth (also using pam) to same box does

software: apache 2.0.55, libapache2-mod-auth-pam 1.1.1, and winbind 3.0.22

pertinent apache config:
        AuthPAM_Enabled on
        AuthPAM_FallThrough off
        AuthGROUP_Enabled on

        LoadModule auth_pam_module
        LoadModule auth_sys_group_module 

pertinent winbind config:
        winbind nested groups = yes
        security = ADS

        auth sufficient         pam_winbind.so debug
        auth required           pam_unix.so nullok_secure debug

        account sufficient      pam_unix_acct.so debug
        account required        pam_winbind.so debug

.htaccess file:
        AuthName SDLplanRealm
        AuthType Basic

        require group sdl

/var/log/auth.log winbbindd entries say :
        pam_winbind[29410]: user 'detertj' granted access

but /var/log/apache2/ssl_error_log entries say:
        GROUP: detertj not in required group(s).

any suggestions as to what to try, where to look, next?  Thanks
Happy Landings,

Jon Detert
IT Systems Administrator, Milwaukee School of Engineering
1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A.

More information about the samba mailing list