PIGNOL, Christian
2004-Mar-10 14:45 UTC
[Samba] Samba authentication against an NT group in Apache
Hi, I have exactly the same problem with my web server ... Linux/redhat 9.0 / kernel 2.4.20-20.9.1 (+ Acl patches) Samba 3.0.2a / compiles with winbind and Acl options Apache 2.0.40 / with mod_auth_pam 2.xx included Authentication to samba share from a windows workstation using Acl + winbind + "Nt domain groups" works fine. But I gave some problems when I want to use NT domain groups to restrict web access to web directory ... only single user autorization works fine but ... never with a domain group ... Note that single authorization works fine but in sensitive case mode ... If I specify "require group MyDomain\MyUser" in the ".htaccess" file, I MUST exactly type "MyDomain\MyUser" on the keyboard when the identification box appears ! It doesn't work if type "mydomain\myuser" ! Do you have solved your problem or found an acceptable solution to use domain groups ? Thanks a lot for your help. Christian PIGNOL -----Original Message----- From: samba-bounces+christian_pignol=merck.com@lists.samba.org [mailto:samba-bounces+christian_pignol=merck.com@lists.samba.org] On Behalf Of Adam H. Lewenberg Sent: lundi 9 f?vrier 2004 19:40 To: samba@lists.samba.org Subject: [Samba] Samba authentication against an NT group in Apache We would like to have our Apache Linux-based web server use our existing NT domain to authenticate some of our web pages. We are using the Apache module mod_auth_pam to use pam-based authentication and then the winbind pam module to do the actual authentication. We have gotten to the point where we can authenticate using NT _users_, but we have not been able to authenticate using _groups_. For example, we can restrict a web page so that only the NT user "joeuser" can gain access to the page, but we have been unable to configure Apache so that any user of the NT group "SpecialAccess" (of which joeuser is a member) can gain access but no one else. Here is the .htaccess file we used to try to do this: ########################## AuthPAM_Enabled On AuthPAM_FallThrough Off AuthAuthoritative Off AuthType Basic AuthName "test" require group "OURNTDOMAIN\SpecialAccess" ########################## Apache generates the following error: ########################## [Mon Feb 02 16:20:40 2004] [crit] [client 130.126.35.93] configuration error: couldn't check access. No groups file?: /grouptest/index.html ########################## Here are some more details on our setup: --------------------------------------- Linux Redhat Enterprise Linux 3 Samba Version 3.0.0-14.3E Apache 2.0.46 mod_pam_auth 2.0-1.1.1 The configuration file that mod_auth_pam uses is called /etc/pam.d/httpd and contains the lines ########################## auth required /lib/security/pam_winbind.so account required /lib/security/pam_winbind.so ########################## The samba configuration file contains these lines: ########################## [global] workgroup = OURNTDOMAIN encrypt passwords = yes security = domain password server = pdccontroller1 winbind use default domain = yes idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes Any ideas or suggestions are very welcome. Thank you. Alan L. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba ------------------------------------------------------------------------------ Notice: This e-mail message, together with any attachments, contains information of Merck & Co., Inc. (One Merck Drive, Whitehouse Station, New Jersey, USA 08889), and/or its affiliates (which may be known outside the United States as Merck Frosst, Merck Sharp & Dohme or MSD and in Japan as Banyu) that may be confidential, proprietary copyrighted and/or legally privileged. It is intended solely for the use of the individual or entity named on this message. If you are not the intended recipient, and have received this message in error, please notify us immediately by reply e-mail and then delete it from your system. ------------------------------------------------------------------------------