Ok. I just finished upgrading a web server from Apache 2.0 to 2.2. I’ve been running 2.2 on other machines for months now and have never had a problem with the upgrade process until today.
I have a Trac install on the server that’s protected with generic http auth:
AuthType basic AuthName "Repository Name" AuthUserFile "/dir/to/htpasswd" Require valid-user
This sort of config has worked for forever. It worked fine under 2.0. It works fine under 2.2. This is not the problem.
When they changed the version number to 2.2 they renamed a whole bunch of the auth modules. They also split a bunch of the behaviors out into multiple separate modules.
So, in order to get the behavior I got by including just mod_auth, I now had to include several different mods. No problem there. The docs tell you this. No problem there.
Thus, my config got a section that looked like this:
LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authz_host_module modules/mod_authz_host.so
Mod_auth_basic for the fundamental behaviors. Mod_authn_file to allow me to read from an htpasswd file. Mod_authz_host because they renamed mod_access (the “allow from xxx.yyy.zzz.com” type directives).
That got apache loading and understanding all of my config file. Then I tried to go to the trac install and blam. 500 internal nastiness error of kabloomitude.
Apache log file said:
[Mon Nov 20 11:47:12 2006] [crit] [client my.ip.address] configuration error: couldn't check access. No groups file?: /projects, referer: http://hostname/
Yeah. I was pretty sure I never mentioned anything about auth groups. Checking the entire config file proved me right. 30 minutes of quality time with Google proved entirely unhelpful. Just a bunch of cries for help that were either unanswered or eventually resolved for reasons unrelated to my problem.
I did discover that including mod_authn_default at least prevents the 500’s – just turning them into auth denied errors.
Turns out in my case that in order to actually auth against usernames you must include mod_authz_user now. This wasn’t mentioned in any of the docs I dug through.
So what was happening?
The “no groups file?” error message provided is erroneous. It’s generated as part of some fallthrough code in Apache itself that happens when no existing auth mechanism is able to assume responsibility.
It requested the password and then had nothing to do with it – it didn’t know how to “Require valid-user” or something so it just bombed through, hoping another mod would answer… which of course didn’t happen since I didn’t specify a second authentication method for these url’s.
Moral of the story?
Starting from scratch with Apache config files is painful. Avoid it if possible. If upgrading versions, grab the default config file and merge your changes into it in stead of dropping your file in place and hoping it works as is.
I would have done this but I was working on a Windows server (yeah, I know, but some people in the .NET group are scared of progress – more on this particular saga later) and the windows apache installer doesn’t apparently generate a default config file if it detects one already in place. On unix, I always compile critical server applications by hand, so I always have the defaults to work from.
This solved my problem too! Thanks much!
Dave
Thanks for doing all the hard work of figuring that out and posting about it. I had the exact same problem. You’ve saved the day!
It’s pretty annoying to spend a couple hours upgrading to apache2.2, only to have everything working except my trac authentication. Bah.
Very nice, thanks for the explanation. It helped me to quickly solve a situation where I ran in exactly the same problem for the exact same reason. Cheers!
thanks!!!!!!!!!!!!!!!!!!!!
it worked!!!!!!!!!
jobst
You saved my ass
Thanks!
Thanks, your sugestion solve my problem.
[...] Untitled :: Blog Archive » no groups file? This helped get the mod_auth working for httpd-2.2.4 Stumble it! [...]
THANK YOU! My migration to 2.2 has been killing me and you completed the task … thanks for the work and for sharing!
-tonyd
Thanks, this saved me some time here.
Thanks so much!
D
Thanks,
After 4 painful hours at work this afternoon you solved the problem.
Thanks a ton!
I had whacked at this for the past 2 days and this website save the day!
Worked for me. Thank you!
And this is good advice :
“Starting from scratch with Apache config files is painful. Avoid it if possible. If upgrading versions, grab the default config file and merge your changes into it in stead of dropping your file in place and hoping it works as is.”
What tool would you recommend to merge the configs? git?
Shrug, you could use version control to keep track of your Apache configs if you’re constantly tweaking them.
However, the nature of upgrading between versions is such that an scm style diff util might not be what you want to use to migrate changes.
I usually just diff by hand, since the things I’m adding are typically just things like virtualhost blocks, etc…
[...] I found a blog post about the no groups file? error I got then, which suggested re-enabling mod_authz_user. That cured the error, although I [...]
This worked like a charm. Upgrading Apache 2.0 to 2.2 was a pain, the upgrade manual should include this information.
Hi Ammon, than you for this post that solved the same problem I had.
I just want 2 things to be more clear :
1) if you put some group authentication requirements, it would work (works for me for basic authentication) :
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
AuthzGroupFileAuthoritative On
AuthGroupFile "XXX/test.htgrp"
Require group testgroup
Useless and inelegant, but working. The error message is not so unclear.
2) there are some installations options in the windows installer (I’m currently using the 2.2.10 version) that installs in the “extra” folder the default configuration files you claim.
Apache 2.2 documentation doesn’t ever explain anything about the precise requirements between modules and assumes you use the default configuration file. I regret it too.
In fact, reading longer the Apache 2.2 documentation : the “require valid-user” diretive explicitly requires the specified authz_user module ; the “require ” directive requires either authz_user directive OR authz_groupfile.
Moral of the story : We should all read the f. manual completely.
Grin. I wrote this post two years ago, at the time, I couldn’t find the default configs. They very well could have added them since then
I just spent over an hour fighting this problem – you just saved me a mental breakdown. Thanks a lot! Adding mod_authz_user fixed it straight away!
This is the blog post that just keeps on giving. You helped me too; thanks Ammon. BTW, you are first in an AOL search of ‘apache2 “no groups file”‘
Glad to be of help. I have two or three posts like this. I just wish I could come up with more similar usefulness
Thank you very much!
.
Ahhh…that’s better…those nasty 500’s have been replaced with my lovely Nagios instance. Thanks for the post.
Thank you! Worked for me and will follow you advice next time regarding merging changes;)