page requires login when I refresh or change pages

The funny thing is, it didn't do this until last week, which is making me all kinds of paranoid...

Anyway, I'm running a RH7.1 box with apache 1.3.20 and mod_auth_smb, and I'm authenticating against my WinNT 4 domain controller so I don't have to maintain a local password list.

This works fine, and worked perfectly up until last week, when it started insisting that every time I refresh a page, it again prompts me for my password. It also asks me occasionaly when I go to a new page, but usually not when I have a page that links to itself... Sometimes if I cancel, it gives me an error, sometimes it displays the page anyway.

My .htaccess file is located in the root of my site (intranet) and the area I'm working on right now is one directory below the root.

My .htaccess file looks like so:
Authname "name"
AuthType Basic
Auth_SMB_Server ntserver
Auth_SMB_Domain ntdomain
require valid-user

My virtual host setup in httpd.conf is:
NameVirtualHost myipaddress
<VirtualHost domainname>
ServerAdmin webmaster@domainname
DocumentRoot /usr/local/www/net/htdocs/
ServerName domainname
ErrorLog logs/net.error_log
</VirtualHost>

My directory setup for it is:
<Directory "/usr/local/www/net/htdocs">
Options Indexes MultiViews
AllowOverride AuthConfig
Order deny,allow
Allow from all
</Directory>

Any ideas on why I'm getting these damned login prompts?

Also, any obvious security holes in the above setup? (I can post the rest of my httpd.conf if anyone is kind enough to analyze it)

Thanks!!!

# Nathan

>> <VirtualHost domainname>

Change to <VirtualHost myipaddress>

>> DocumentRoot /usr/local/www/net/htdocs/

Change to: DocumentRoot "/usr/local/www/net/htdocs"

>> Order deny,allow
>> Allow from all

Remove them

>> My .htaccess file looks like so

Why can't you do it in httpd.conf? .htaccess is for those who don't have access to httpd.conf and the ones who want to do something dynamic.

BTW, I don't know how mod_auth_smb works because I haven't tried it. If possible, change Auth_SMB_Server ntserver to its IP address.

Okay, I changed the virtualhost, removed the trailing slash from my documentroot, and removed the order/allow lines. I will attempt to figure out how to do all my htaccess stuff in httpd.conf.

A quick update; after restarting httpd with the above changes made, I'm getting a prompt to login for EVERY picture I have on that site... so maybe 10 prompts just to see my index page. Thank goodness most of my site after the index is text only!

I'll muck around with my conf file and see if I can't get rid of this.

Thanks for your help, freebie :-)

# Nathan

Okay, apparently mod_auth_smb does not allow IP addresses in the Auth_SMB_Server directive.

I put all my htaccess info into the <Directory> section of my conf file, and changed my AllowOverride to None. Apache restarts ok, but I'm still having to enter a password for every single file my browser has to go get.

Any other ideas?

>> but I'm still having to enter a password for every single file

With another mod_auth_*, usually that happens when the protected directory is a symlink or an alias. If that's the case, add the appropriate <Directory "/path/to/protected/dir">

>> any obvious security holes in the above setup?

I forgot to reply this. There is a critical security hole in all version of Apache prior to 1.3.21 (will be released in a few days). When MutiViews is enabled, visitors can bypass your DirectoryIndex page and see your directory listing with the query string of ?M=D. I see that you have specified Indexes, which will let everyone to see your directory listing when your DirectoryIndex file is not present. So you probably should disable that.

The directory I'm protecting is the same as the absolute path in the <Directory /usr/local/www/net/htdocs> tag.

To recap, my httpd.conf entry for my intranet now reads like so:

<Directory "/usr/local/www/net/htdocs">
Options Indexes
AllowOverride None
Auth_SMB_Server NTSERVER #can't use 192.168.1.2 unfortunately
Auth_SMB_Domain NTDOMAIN
AuthType Basic
AuthName "intranet"
Require valid-user
</Directory>

The bloody thing is still asking me to login for each of the 14 images on my main page (I had forgotten the swapping images) which I can't really ask my fellow employees to do... :-P

Any other ideas?

Many thanks again!

# Nathan

As I said, I have never tried mod_auth_smb. I suggest you to start from basics and use -> http://httpd.apache.org/docs/mod/mod_auth.html just to see if it works.