Ok. I just finished upgrading a web server from Apache 2.0 to 2.2. I've been running 2.2 on other machines for months now and have never had a problem with the upgrade process until today.
I have a Trac install on the server that's protected with generic http auth:
AuthName "Repository Name"
AuthUserFile "/dir/to/htpasswd"
Require valid-user
This sort of config has worked for forever. It worked fine under 2.0. It works fine under 2.2. This is not the problem.
When they changed the version number to 2.2 they renamed a whole bunch of the auth modules. They also split a bunch of the behaviors out into multiple separate modules.
So, in order to get the behavior I got by including just mod_auth, I now had to include several different mods. No problem there. The docs tell you this. No problem there.
Thus, my config got a section that looked like this:
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_host_module modules/mod_authz_host.so
Mod_auth_basic for the fundamental behaviors. Mod_authn_file to allow me to read from an htpasswd file. Mod_authz_host because they renamed mod_access (the "allow from xxx.yyy.zzz.com" type directives).
That got apache loading and understanding all of my config file. Then I tried to go to the trac install and blam. 500 internal nastiness error of kabloomitude.
Apache log file said:
Yeah. I was pretty sure I never mentioned anything about auth groups. Checking the entire config file proved me right. 30 minutes of quality time with Google proved entirely unhelpful. Just a bunch of cries for help that were either unanswered or eventually resolved for reasons unrelated to my problem.
I did discover that including mod_authn_default at least prevents the 500's - just turning them into auth denied errors.
Turns out in my case that in order to actually auth against usernames you must include mod_authz_user now. This wasn't mentioned in any of the docs I dug through.
So what was happening?
The "no groups file?" error message provided is erroneous. It's generated as part of some fallthrough code in Apache itself that happens when no existing auth mechanism is able to assume responsibility.
It requested the password and then had nothing to do with it - it didn't know how to "Require valid-user" or something so it just bombed through, hoping another mod would answer... which of course didn't happen since I didn't specify a second authentication method for these url's.
Moral of the story?
Starting from scratch with Apache config files is painful. Avoid it if possible. If upgrading versions, grab the default config file and merge your changes into it in stead of dropping your file in place and hoping it works as is.
I would have done this but I was working on a Windows server (yeah, I know, but some people in the .NET group are scared of progress - more on this particular saga later) and the windows apache installer doesn't apparently generate a default config file if it detects one already in place. On unix, I always compile critical server applications by hand, so I always have the defaults to work from.
). We're restricting this access via the standard issue apache http basic auth system with an .htaccess file that looks something like this: