Jeff Sexton

Monday, October 22, 2007

Subversion, Fedora, PAM, winbindd, Apache and NT4 Authentication

In order to get a Subversion source control server running via Apache HTTP server on Redhat/Fedora Linux, with no separate user authentication, I had to get the Apache server on the box to authenticate the Subversion svn URL against a Windows network. In this case that meant an NT4 Windows domain. There's a few tricks to this that took awhile to figure out. Here's an outline of the process to get Apache to protect the resource using Windows network login and passwords...

0. Install the Apache module mod_auth_pam.

1. Connect the Linux host to the Windows domain. From the menus, select: Administration -> Authentecation -> Authentecation -> Winbind

Configure winbind and and click the "join" button. Note that this required the Windows administrator's username and password.

2. Edit the system's services and enable winbindd to run on startup

Now these commands should work:



wbinfo -u
wbinfo -g
wbinfo -a \\%;

For example:


wbinfo -a XYZ\\jsexton%my_password

should successfully authenticate jsexton against the NT domain XYZ.


3. Setup PAM's http configuration. Here's the use of pam_permit.so. Without this, PAM will check for a valid local account and fail. You'll find references out there to having to make /etc/shadow readable by the httpd for this reason. But using the permit option avoids this problem. This took awhile to figure out because I was using myself as a test and I do in fact have a local account. What I didn't realize was that it was not smart enough to deal with the leading Windows domain on the username. User "jsexton" existed on the linux box, but "XYZ\jsexton" did not. Not having to enter the Windows domain with the username when logging in would also solve the problem, but I don't see how to make that happen in the winbindd setup, for an NT domain.

File /etc/pam.d/http



#%PAM-1.0
auth sufficient pam_winbind.so debug
#account required pam_winbind.so debug
account required pam_permit.so

4. Set Apache to load PAM:

File /etc/httpd/conf.d/auth_pam.conf



LoadModule auth_pam_module modules/mod_auth_pam.so
LoadModule auth_sys_group_module modules/mod_auth_sys_group.so

5. Protect a sample directory:

File /etc/httpd/conf/http.conf



Alias /test/ "/test/"
<Directory "/test">
AllowOverride None
Allow from all
Order Deny,Allow
AuthType Basic
AuthName "AUTH TEST"
AuthPAM_Enabled on
Require valid-user
</Directory>

Now loading http://localhost/test/ should ask for a name and password and authenticate against the Windows domain (note the trailing slash on the URL). Enter the Windows domain in the username with one back-slash, ie "XYZ\jsexton". Watch /var/log/messages and /var/log/httpd/error_log for information. The exact location of some of these files may vary on your system.

Post a Comment
3D modeling Advertising Air Canada Airline Alfa Romeo Spider Touring Gran Sport Analog signal Android Anomalies and Alternative Science Apache Apollo Astoria Asus Augmented reality Aurora Famous Fighters auto-awesome Automobile Autos Backups Barack Obama Batman Battery Beards Beer Bell System Berkshire Hathaway Bigfoot Bird Food Bird Toys Birds Birthdays Blogger Books Build Management Business and Economy Business Process Execution Language Byte-order mark Canadian Carrot Cats Christmas Civil Defense CNN Cockatiels Collections Crows Dear Jane Debian Diabetes Digital Living Network Alliance Digital television Disney Doll House Dow Jones Industrial Average Duesenburg SJ Roadster Durham University E-mail address ebauche Economics EJB Energy development Enterprise JavaBean ESP Facebook Fedora Filesharing Finance Ford Fossil fuel Garfield James Abram Garfield Minus Garfield Glassfish Global warming Golden Arches Goofy Google Google Buzz Google Docs Google Lively Google Photos Google Reader Google Wave Google+ Greenhouse gas Half-Life 2 Helbros High-definition television History Hybrid electric vehicle IBM Inner city Instagram Insulin Investing Irony J.C. Penny Jane Austen Java Java Architecture for XML Binding JDBC Jeff's! Jim Davis joe the plumber John McCain Karma Kay Thompson Kermit the Frog Kids and Teens LA Auto Show Larry King Laser Logging Lowry Sexton Mark Cuban Market trends McDonald Meier and Frank Microsoft Microsoft Windows Models Monkey monsters Moon MOUNT HOOD Music Music industry Muxtape MySQL NetBeans Netflix Nintendo Nissan Cube Norm Coleman Nuclear fallout Nuclear warfare Office Depot Open ESB Oracle Corporation Pacific Ocean Packard Boattail Pearl District Pearl District Portland Oregon Philip K Dick photography PlayStation 3 Pocher Pokémon HeartGold and SoulSilver Politics Portal Portland Portland Development Commission Presidents Pride and Prejudice Programming Projects Radio Recipes Recording Industry Association of America Renewable energy RIAA Robot Chicken Rock-paper-scissors Sarcasm SATA Science fiction film Serbia Service-oriented architecture Shopping Slide Rule Social Security Social Studies Society6 Spirit of St. Louis SQL Stanford Hospital Star Wars Starbucks Stock market Strip search Sun Microsystems T-Mobile Tablet TechCrunch Technical ThinkGeek Toaster Total Recall Transportation Security Administration Unicode United States United States Department of Homeland Security Universal Plug and Play Unknown Primates USB Vegetable garden Video game Vintage Images Vintage Vintage! Virtual world Volvo C70 Wall Street Warren Buffett watches We Can Remember It for You Wholesale Web service Web Services Description Language Wii Windows 7 Windows Phone 7 Windows Vista Windows XP X-Files X-ray vision XML XML Schema YouTube Yugo Zima