Brian Cochrane
2003-Oct-17 18:08 UTC
[Samba] [Fwd: Apache auth failing for Active Directory group members]
I sent this message to the list yesterday, but I believe it was before I had fully joined the list...so I'm not sure if it got through. My apologies if this is a repeat. On my web server, I have a .htaccess file set up to restrict access to a folder for specific Active Directory users. The Active Directory domain is imaginatively called "AD". Using 'require user ad\brian.cochrane' in .htaccess works great. 'require group "ad\domain users"' also works. However, 'require group "ad\_it"' does not work. The user "brian.cochrane" is a member of both the "Domain Users" and "_IT" groups. With .htaccess configured to only allow "ad\_IT" group members, attempting to access the secured directory as "ad\brian.cochrane" fails. After 3 attemps I get the usual "Authorization Required" page from Apache. Nothing regarding the failure is logged by Apache or winbindd. However, /var/log/auth.log shows "pam_winbind[4145]: user 'ad\brian.cochrane' granted access". The winbind/samba configuration is otherwise working great. I can restrict access to unix files and directories for specific Active Directory users and groups. I have noticed that the usernames used by Apache's basic authentication mechanism are case sensitive (even though winbind's AD to unix user/group mapping does not appear to be), so I've tried various permutations of case in the .htaccess file and when supplying my credentials. Thinking the leading underscores in the group names were causing a problem, I also added the "brian.cochrane" user to another AD group called "test", but the results were the same. So far, no luck. I have included software version and configuration details below. If there is more information I can provide, I'd be happy to. I am reluctant to upgrade to Debian/testing to see if a newer version of samba, winbind, or the Apache auth_pam module fixes the problem, as this is a production server and downtime is an issue. Has anyone else had this problem? Any known solutions? Any information you can provide is greatly appreciated. Thank you, Brian Cochrane software version details -------------------------------------------------- OS: Linux 2.4.18 distribution: Debian 3.0/stable samba/winbind package: 2.2.3a-12.3 libapache-mod-auth-pam package: 1.0a-7 winbind config in /etc/samba/smb.conf -------------------------------------------------- #winbind separator = + winbind uid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes /etc/pam.d/httpd -------------------------------------------------- auth required /lib/security/pam_winbind.so account required /lib/security/pam_winbind.so .htaccess -------------------------------------------------- AuthPAM_Enabled On AuthPAM_FallThrough Off AuthAuthoritative Off AuthType Basic AuthName "test" #require group "ad\_it" require user "ad\brian.cochrane"