Submitted by hpadrick on Mon, 12/28/2009 - 08:22
I have setup Virtualmin with LDAP and configured the system (mail, users, etc) to use the LDAP server for authentication. The issue I am having is apache's permissions on newly created virtual servers. In order for apache to successfully display an index page I must chmod 777 from the home folder all the way through the public folder. Somewhere along the lines the www-data group is not being allowed to serve the page. I get a Forbidden unless the permissions are changed.
LDAP seems to be configured and functioning properly. I can change users' passwords from the command line, users can login to usermin and email is working just fine.
Status:
Closed (fixed)
Comments
Submitted by hpadrick on Mon, 12/28/2009 - 10:17 Comment #1
Submitted by JamieCameron on Mon, 12/28/2009 - 13:22 Comment #2
It sounds like Apache's www-data user might not be getting added to the groups for new domains.
If you SSH in as root and run the command :
su -s /bin/sh www-data -c "id -a ; groups"
what does it output?
Submitted by hpadrick on Mon, 12/28/2009 - 14:57 Comment #3
Hi JamieCameron,
The output is below.
root@control:/home/administrator# su -s /bin/sh www-data -c "id -a ; groups"
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data
Thanks
Submitted by JamieCameron on Mon, 12/28/2009 - 15:42 Comment #4
Ok, looks like www-data isn't in the domains' groups.
If you go to Webmin -> System -> LDAP Users and Groups -> Groups -> some domain's group, does www-data appear as a member?
Submitted by hpadrick on Mon, 12/28/2009 - 16:31 Comment #5
www-data is a member in all of the groups listed.
Submitted by JamieCameron on Mon, 12/28/2009 - 16:34 Comment #6
Ok .. also check in /etc/nsswitch.conf that the
group:
line containsldap
Submitted by hpadrick on Mon, 12/28/2009 - 16:39 Comment #7
Amazingly fast responses!
The file does contain ldap on the group line. Below is the contents of the nsswitch.conf
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Submitted by JamieCameron on Mon, 12/28/2009 - 16:56 Comment #8
How about the users in your LDAP DB - are they showing up as regular Unix users? You could test with a command like :
id -a XXX
where XXX is the ID of a domain's username.
Submitted by hpadrick on Mon, 12/28/2009 - 19:19 Comment #9
The command above gives me
uid=1003(outland) gid=1004(outland) groups=1004(outland)
Here is the error that shows in a sites error_log
.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
and the page error when I try to visit:
Forbidden
You don't have permission to access / on this server.
Hope that helps, and thanks for your time.
Submitted by JamieCameron on Mon, 12/28/2009 - 19:33 Comment #10
Does it help if you delete the www-data user from your /etc/passwd and /etc/shadow files, then add it (with the same UID, GID and home directory) to your LDAP database using the LDAP Users and Groups module?
I have a feeling that a non-LDAP user cannot be in an LDAP group.
Submitted by hpadrick on Tue, 12/29/2009 - 07:41 Comment #11
I removed both the user and the group and added them as a LDAP user and LDAP group. No change.
The funny thing is I usually log into the system via ssh, but this time I logged in via the console. When logging in through the console the system requests I enter my password twice to log in as administrator so one of the authentication methods is failing.
In reviewing one of the pam.d files I cam across
https://help.ubuntu.com/community/LDAPClientAuthentication
which indicates "a new tool to modify pam and nsswitch". I'm not sure if this could be the issue so I am pasting the output of the running profile below for review:
>$ auth-client-config -S
[2009-12-29_08:39:16]
nss_group=group: compat ldap
nss_passwd=passwd: compat ldap
nss_shadow=shadow: compat ldap
pam_account=account sufficient pam_ldap.so
account required pam_unix.so
pam_auth=auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure
auth optional pam_smbpass.so migrate missingok
pam_password=password sufficient pam_ldap.so
password optional pam_smbpass.so nullok use_authtok use_first_pass missingok
password required pam_unix.so nullok obscure min=4 max=8 md5
pam_session=session sufficient pam_ldap.so
session required pam_unix.so
Submitted by JamieCameron on Tue, 12/29/2009 - 11:20 Comment #12
I just thought of another possible cause - in your /etc/ldap.conf file, is there any pam_min_uid or pam_min_gid line set to something other than 0 ? If so, change it to 0.
Also check the files /etc/libnss-ldap.conf and /etc/pam_ldap.conf if they exist.
Submitted by hpadrick on Tue, 12/29/2009 - 13:24 Comment #13
The lines in the ldap.conf file for those settings are commented out.
Both of the files you are referring to are not there. Should they be links of another file?
Submitted by JamieCameron on Tue, 12/29/2009 - 13:28 Comment #14
In ldap.conf, try commenting them in with the values :
pam_min_uid 0
pam_min_gid 0
I seem to recall that the min UID defaults to something like 1000, which excludes the www-data user.
Submitted by hpadrick on Tue, 12/29/2009 - 16:57 Comment #15
Ok, I have added those settings to the config file and restarted, still no change.
In A and B'ing this LDAP box with a normal virtualmin install I did notice that when I run getent group on them, the groups on the LDAP are indicating they do not have a password set.
sitegroup:*:1002:www-data
Where as the normal install shows
sitegroup:x:1002:www-data
Submitted by JamieCameron on Tue, 12/29/2009 - 17:19 Comment #16
How about the pam_member_attribute line in ldap.conf - what is that set to? It should be like :
pam_member_attribute memberUid
Submitted by hpadrick on Tue, 12/29/2009 - 17:21 Comment #17
The problem is trying to add the www-data to the site group. No matter what I try the www-data user will not show as a part of any other group.
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data
If I add a site to the www-data group it shows correctly. Both are in LDAP so I'm not sure what the problem could be.
Submitted by JamieCameron on Tue, 12/29/2009 - 17:26 Comment #18
Just thought of another possible cause - in ldap.conf there is an nss_initgroups_ignoreusers line. Make sure that www-data isn't in that list.
Submitted by hpadrick on Tue, 12/29/2009 - 17:35 Comment #19
This is the happiest day of my life. It's funny how something so simple can cause so much misery. Thanks for all your time and effort Jamie.
Submitted by JamieCameron on Tue, 12/29/2009 - 17:48 Comment #20
Great! I will add a mention of this to the Virtualmin LDAP documentation ..
Submitted by Issues on Wed, 01/13/2010 - 07:20 Comment #21
Automatically closed -- issue fixed for 2 weeks with no activity.