[Samba] [Fwd: Apache auth failing for Active Directory group members]

[Brian Cochrane]

I sent this message to the list yesterday, but I believe it was before I had
fully joined the list...so I'm not sure if it got through.  My apologies if
this is a repeat.



On my web server, I have a .htaccess file set up to restrict access to a
folder for specific Active Directory users.  The Active Directory domain is
imaginatively called AD.  Using 'require user ad\brian.cochrane' in
.htaccess works great.  'require group ad\domain users' also works. 
However, 'require group ad\_it' does not work.  The user brian.cochrane is
a member of both the Domain Users and _IT groups.

With .htaccess configured to only allow ad\_IT group members, attempting to
access the secured directory as ad\brian.cochrane fails.  After 3 attemps I
get the usual Authorization Required page from Apache.
Nothing regarding the failure is logged by Apache or winbindd.  However,
/var/log/auth.log shows pam_winbind[4145]: user 'ad\brian.cochrane' granted
access.

The winbind/samba configuration is otherwise working great.  I can restrict
access to unix files and directories for specific Active Directory users and
groups.

I have noticed that the usernames used by Apache's basic authentication
mechanism are case sensitive (even though winbind's AD to unix user/group
mapping does not appear to be), so I've tried various permutations of case in
the .htaccess file and when supplying my credentials.  Thinking the leading
underscores in the group names were causing a problem, I also added the
brian.cochrane user to another AD group called test, but the results were
the same.  So far, no luck.

I have included software version and configuration details below.  If there is
more information I can provide, I'd be happy to.  I am reluctant to upgrade to
Debian/testing to see if a newer version of samba, winbind, or the Apache
auth_pam module fixes the problem, as this is a production server and downtime
is an issue.  Has anyone else had this problem?  Any known solutions?  Any
information you can provide is greatly appreciated.

Thank you,
Brian Cochrane



software version details
--
OS: Linux 2.4.18
distribution: Debian 3.0/stable
samba/winbind package: 2.2.3a-12.3
libapache-mod-auth-pam package: 1.0a-7


winbind config in /etc/samba/smb.conf
--
#winbind separator = +
winbind uid = 1-2
winbind gid = 1-2
winbind enum users = yes
winbind enum groups = yes


/etc/pam.d/httpd
--
auth   required   /lib/security/pam_winbind.so
accountrequired   /lib/security/pam_winbind.so


.htaccess
--
AuthPAM_Enabled On
AuthPAM_FallThrough Off
AuthAuthoritative Off
AuthType Basic
AuthName test
#require group ad\_it
require user ad\brian.cochrane



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Apache auth failing for Active Directory group members

[Brian Cochrane]

On my web server, I have a .htaccess file set up to restrict access to a
folder for specific Active Directory users.  The Active Directory domain is
imaginatively called AD.  Using 'require user ad\brian.cochrane' in
.htaccess works great.  'require group ad\domain users' also works. 
However, 'require group ad\_it' does not work.  The user brian.cochrane is
a member of both the Domain Users and _IT groups.

With .htaccess configured to only allow ad\_IT group members, attempting to
access the secured directory as ad\brian.cochrane fails.  After 3 attemps I
get the usual Authorization Required page from Apache.
Nothing regarding the failure is logged by Apache or winbindd.  However,
/var/log/auth.log shows pam_winbind[4145]: user 'ad\brian.cochrane' granted
access.

The winbind/samba configuration is otherwise working great.  I can restrict
access to unix files and directories for specific Active Directory users and
groups.

I have noticed that the usernames used by Apache's basic authentication
mechanism are case sensitive (even though winbind's AD to unix user/group
mapping does not appear to be), so I've tried various permutations of case in
the .htaccess file and when supplying my credentials.  Thinking the leading
underscores in the group names were causing a problem, I also added the
brian.cochrane user to another AD group called test, but the results were
the same.  So far, no luck.

I have included software version and configuration details below.  If there is
more information I can provide, I'd be happy to.  I am reluctant to upgrade to
Debian/testing to see if a newer version of samba, winbind, or the Apache
auth_pam module fixes the problem, as this is a production server and downtime
is an issue.  Has anyone else had this problem?  Any known solutions?  Any
information you can provide is greatly appreciated.

Thank you,
Brian Cochrane



software version details
--
OS: Linux 2.4.18
distribution: Debian 3.0/stable
samba/winbind package: 2.2.3a-12.3
libapache-mod-auth-pam package: 1.0a-7


winbind config in /etc/samba/smb.conf
--
#winbind separator = +
winbind uid = 1-2
winbind gid = 1-2
winbind enum users = yes
winbind enum groups = yes


/etc/pam.d/httpd
--
auth   required   /lib/security/pam_winbind.so
accountrequired   /lib/security/pam_winbind.so


.htaccess
--
AuthPAM_Enabled On
AuthPAM_FallThrough Off
AuthAuthoritative Off
AuthType Basic
AuthName test
#require group ad\_it
require user ad\brian.cochrane

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba