OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
pam_auth_basic_user() - account is not healthy

From: delman (k3zzt8n02sneakemail.com)
Date: Fri Nov 14 2003 - 10:49:50 CST


Hi all,

I'm trying to use Apache's pam_auth_module with winbindd to authenticate Intranet users to a web application using our PDC (WinNT - sp6a box).

It seems to work well with samba (users can access their shares using domain credentials), but it doesn't work for apache, and googling has given no answer.

For every auth attempt this is my auth.log:

Nov 14 17:17:50 ict-srv-db pam_winbind[591]: Verify user `foo'
Nov 14 17:17:50 ict-srv-db pam_winbind[591]: user 'foo' granted acces

And this is the error.log of apache:
[Fri Nov 14 17:17:50 2003] [error] (13)Permission denied: access to / failed for 192.168.0.xxx, reason: Permission denied
[Fri Nov 14 17:17:50 2003] [debug] mod_auth_pam.c(398): [client 192.168.0.xxx] pam_auth_basic_user() - account is not healthy

I'm clueless, any hint?

Conf files:

/etc/pam.d/httpd

#%PAM-1.0
auth sufficient pam_winbind.so debug
account sufficient pam_winbind.so

nsswitch.conf:

[...]
passwd: compat winbind
group: compat winbind
[...]

smb.conf:
[global]
        workgroup = MYOWN
        server string = %h server
        security = DOMAIN
        password server = 192.168.0.xxx
        passdb backend = tdbsam, guest
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
        client plaintext auth = No
        log level = winbind:10
        syslog = 2
        log file = /var/log/samba/log.%m
        max log size = 1000
        min protocol = LANMAN2
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        ldap ssl = no
        panic action = /usr/share/samba/panic-action %d
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /dev/null
        winbind separator = +
        winbind enable local accounts = No
        winbind use default domain = Yes
        invalid users = root

httpd.conf

<Directory /var/www>
    AuthPAM_Enabled on
    AuthPAM_FallThrough off
    AllowOverride None
    AuthName "Auth needed"
    AuthType "basic"
    require group "Domain Users"
</Directory>

_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://www.redhat.com/mailman/listinfo/pam-list