SourceForge Apache Logo

mod_auth_samba - Apache Authentication Module

mod_auth_sanba allows you use Windows user database for user password authentication and ndbm database for groups in WWW authentication.

Table of Content

Download | Configuration | Technical Notes | Tested On... | Installation | Problems | TODO | References | Changes between versions | Disclaimers


Apache 1.2.x
Version 1.0
Apache 1.3.x
Version 1.1


The following directives have been added which you can put in a <Directory>, <Location> or .htaccess:
AuthSambaEnabled On|Off
If Off, Samba will decline all requests. This can be useful in case you have virtual hosts in use and don't want to use Samba on some of them. Default is On.
AuthSambaAuthoritative On|Off
If On, the system files are considered authorative, control will not be passed to other access control modules. Off allows you to use this with other access modules, to allow access for users defined in a .htpasswd file as well as other users on the system. To enable this functionality, this module should be included after mod_auth in your configuration file. Default is On.
AuthSambaDomain Domain1:NT1,NT2 Domain2:NT3 ,NT4,NT5
Specifies, which domains are to be used and what are their domain controllers. NT5 is only used if user didn't validate against Domain1 and NT3 and NT4 reported server or protocol error, when mod_auth_samba tried to connect to them.
AuthSambaGroupDbm database
Database, which has information about users and groups, where they belong. User is the key and group names form the data.
AuthSambaCacheTimeout seconds
If username password pair is found from cache buffer, we check if it has already past timeout period or in it. If timeout has happened, we ignore cached information and try validation to domain controller. Default is 43200 seconds (= 12 hours). All failed authentications are tested against Windows servers so that proper accounts get locked and users can use their changed passwords.


Here is example from .htaccess file that uses mod_auth_samba.
AuthAuthoritative Off
AuthSambaAuthoritative On
AuthType Basic
AuthName Company_Intranet
AuthUserFile /usr/local/www/auth/users
AuthGroupFile /usr/local/www/auth/groups
AuthSambaDomain DOMAIN:dc DOMAIN1:dc1
AuthSambaGroupDbm /usr/local/www/auth/group
<Limit GET POST>
require group 6333 6335 6212 6215 2011 2012 2013 2030 2100 2200
require group 6892 6893 6894 6896 6898 1592 9050 9900

Technical Notes

mod_auth_samba is built on top of mod_auth_sys and pam_smb. mod_auth_sys provided the frame for module, while pam_smb provided necessary routines for accessing Windows NT user database.

Authentication operation takes following steps:

  1. Local cache is checked for username-password pair
  2. If none is found, it has expired or it doesn't match with input, we try to validate on NT domain controllers (Valid_User() from pam_smb)
  3. If username-password pair didn't check up, module stops in here. Otherwise it continues.
  4. Store username-password pair into cache.
  5. Group check

It should be noted that in group check, its assumed that on data part, you have one empty space before and one after each group.

Tested on

System has been tested on following setups:

Installation (for Apache 1.2.x)

To enable this module, install pam_smb library, unpack mod_auth_samba, copy mod_auth_samba.h and mod_auth_samba.c into src subdirectory, add following lines into your Configuration file:

EXTRA_LIBS=/lib/security/ -lpam
Module samba_auth_module     mod_auth_samba.o
Rebuild the configuration using Configure and run the make.

Installation (for Apache 1.3.x)

Installation on Apache 1.3.3 is little bit different and whole lot simpler. If you are working on Linux platform, see Linux specific installation help from followup section in bug 103256. For other platforms, instructins are following:

cp some/where/out/there/mod_auth_samba.* src/modules/extra/
setenv LIBS "/lib/security/ -lpam"
./configure --add-module=src/modules/extra/mod_auth_samba.c

Problems, etc.



Software Components

  1. mod_auth_samba (mandatory)
  2. pam_smb is required by mod_auth_samba
  3. mod_ssl can be used to provide extra security
  4. Fortify is needed, if you wish to get real security for Netscape browsers


  1. Ylitalo J., Case Study about User Authentication and Management in WWW, In Proc 1st International System Administration and Networking Conference (SANE'98) Nov 18th-20th, 1998, Maastricht, The Netherlands (see proceedings & slides)


This module has some rather significant security considerations. Since the system password file is used, passwords captured during transit over the internet can be used to break into your system. Remember, passwords are transferred in clear text for every secure page that's accessed unless you use SSL as additional layer of security.

This module is derived from work done by the Apache Group and is subject to the same terms and conditions as the Apache server.

© 1997-2000 Juha Ylitalo < >
Last generated: April 6, 2000