MacOS 10.4.6 and 'No groups file?' (was: Re: one step closer: 503 Error)

[Jon W. <jw...@ca...>]

On Mon, 17 Apr 2006, Craig A. Haynal wrote:

> A few days ago I was having a problem with 503 errors accompanied by a
> message in the error log: "configuration error:  couldn't check access.  No
> groups file?".
>
> I determined that the OS X Server 10.4.6 update had changed the modules list 
> in my Apache configuration and mod_auth was no longer being loaded; setting 
> mod_auth to load and restarting the server fixed my problem, so you might 
> want to check your error log for messages similar to the above.

Indeed - I've just been investigating this in a non-CAS context.

Apache on OS X Server (though not on the non-Server version) appears to 
use mod_auth_apple in place of mod_auth by default. mod_auth_apple seems 
to be a modified mod_auth which can also look users up in the system 
password anfd group files (or MacOS equivalent). As from 10.4.6, 
mod_auth_apple appears to decline to perform authorization if AuthType 
isn't set to 'Basic' (prior to 10.4.6 it would perform authorization for 
any AuthType).

Apple seem to also provide an un-modified mod_auth and the best solution 
to this problem seems to be to enable that. The two can probably co-exist, 
but it would be safer to also disable mod_auth_apple unless its features 
are required.

The "configuration error:  couldn't check access.  No groups file?" 
message is misleading - in this case it actually means that Apache 
couldn't find a handlers willing to perform the authorization step.

Jon.

-- 
Jon Warbrick
Web/News Development, Computing Service, University of Cambridge