Required field must not be blank: Subversion, Fedora, PAM, winbindd, Apache and NT4 Authentication

In order to get a Subversion source control server running via Apache HTTP server on Redhat/Fedora Linux, with no separate user authentication, I had to get the Apache server on the box to authenticate the Subversion svn URL against a Windows network. In this case that meant an NT4 Windows domain. There's a few tricks to this that took awhile to figure out. Here's an outline of the process to get Apache to protect the resource using Windows network login and passwords...

0. Install the Apache module mod_auth_pam.

1. Connect the Linux host to the Windows domain. From the menus, select: Administration -> Authentecation -> Authentecation -> Winbind

Configure winbind and and click the "join" button. Note that this required the Windows administrator's username and password.

2. Edit the system's services and enable winbindd to run on startup

Now these commands should work:


wbinfo -u
wbinfo -g
wbinfo -a \\%;

For example:


wbinfo -a XYZ\\jsexton%my_password

should successfully authenticate jsexton against the NT domain XYZ.

3. Setup PAM's http configuration. Here's the use of pam_permit.so. Without this, PAM will check for a valid local account and fail. You'll find references out there to having to make /etc/shadow readable by the httpd for this reason. But using the permit option avoids this problem. This took awhile to figure out because I was using myself as a test and I do in fact have a local account. What I didn't realize was that it was not smart enough to deal with the leading Windows domain on the username. User "jsexton" existed on the linux box, but "XYZ\jsexton" did not. Not having to enter the Windows domain with the username when logging in would also solve the problem, but I don't see how to make that happen in the winbindd setup, for an NT domain.

File /etc/pam.d/http


#%PAM-1.0
auth       sufficient pam_winbind.so debug
#account    required pam_winbind.so debug
account    required     pam_permit.so

4. Set Apache to load PAM:

File /etc/httpd/conf.d/auth_pam.conf


LoadModule auth_pam_module modules/mod_auth_pam.so
LoadModule auth_sys_group_module modules/mod_auth_sys_group.so

5. Protect a sample directory:

File /etc/httpd/conf/http.conf


Alias /test/ "/test/"
<Directory "/test">
   AllowOverride None
   Allow from all
   Order Deny,Allow
   AuthType Basic
   AuthName "AUTH TEST"
   AuthPAM_Enabled on
   Require valid-user
</Directory>

Now loading http://localhost/test/ should ask for a name and password and authenticate against the Windows domain (note the trailing slash on the URL). Enter the Windows domain in the username with one back-slash, ie "XYZ\jsexton". Watch /var/log/messages and /var/log/httpd/error_log for information. The exact location of some of these files may vary on your system.

Required field must not be blank

Monday, October 22, 2007

Subversion, Fedora, PAM, winbindd, Apache and NT4 Authentication

No comments:

Post a Comment