We would like to have our Apache Linux-based web server use our existing NT domain to authenticate some of our web pages. We are using the Apache module mod_auth_pam to use pam-based authentication and then the winbind pam module to do the actual authentication.
We have gotten to the point where we can authenticate using NT
_users_, but we have not been able to authenticate using _groups_. For
example, we can restrict a web page so that only the NT user
"joeuser" can gain access to the page, but we have been unable to
configure Apache so that any user of the NT group "SpecialAccess" (of
which joeuser is a member) can gain access but no one else.
Here is the .htaccess file we used to try to do this: ##########################
AuthPAM_Enabled On
AuthPAM_FallThrough Off
AuthAuthoritative Off
AuthType Basic
AuthName "test"
require group "OURNTDOMAIN\SpecialAccess"
##########################
Apache generates the following error: ##########################
[Mon Feb 02 16:20:40 2004] [crit] [client 130.126.35.93] configuration
error: couldn't check access. No groups file?: /grouptest/index.html
##########################
Here are some more details on our setup: ---------------------------------------
Linux Redhat Enterprise Linux 3
Samba Version 3.0.0-14.3E
Apache 2.0.46
mod_pam_auth 2.0-1.1.1
The configuration file that mod_auth_pam uses is called /etc/pam.d/httpd and contains the lines ########################## auth required /lib/security/pam_winbind.so account required /lib/security/pam_winbind.so ##########################
The samba configuration file contains these lines: ########################## [global] workgroup = OURNTDOMAIN encrypt passwords = yes security = domain password server = pdccontroller1 winbind use default domain = yes idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes
Any ideas or suggestions are very welcome.
Thank you. Alan L.
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba