| View previous topic :: View next topic |
| Author |
Message |
brjames
n00b
Joined: 30 Sep 2003
Posts: 52
|
 Posted: Fri May 13, 2005 2:17 am Post subject: Cant su with ldap [solved (sorta)] |
 |
|
Hey, finally got LDAP authenticating on a client machine, but now I've found I cant use 'su'. root can use su, but my users cant.
These are the groups im a part of:
| Code: |
bash-2.05b$ groups
wheel floppy audio cdrom video games cdrw usb users portage
|
On the server this user can su to his hearts content (he exists in the main files as well). Any clue as to how to fix this?
Thanks in advance
Last edited by brjames on Fri May 13, 2005 6:14 am; edited 1 time in total |
|
| Back to top |
|
 |
brjames
n00b
Joined: 30 Sep 2003
Posts: 52
|
| Posted: Fri May 13, 2005 4:54 am Post subject: |
|
|
Ok, so after some looking around its the following line in /etc/pam.d/su:
| Code: |
auth required /lib/security/pam_wheel.so use_uid
|
This line checks if the user in question is in the wheel group (or GID =10).
So apparently, even though the "groups" command says I'm in the wheel group, pam_wheel doesn't believe it. Anybody know of a solution? Or is this not a problem on your setu? |
|
| Back to top |
|
|
brjames
n00b
Joined: 30 Sep 2003
Posts: 52
|
| Posted: Fri May 13, 2005 6:35 am Post subject: |
|
|
So after digging through the source for pam_wheel and groups, I see that instead of checking if one of the user's groups is wheel, pam_wheel checks to see if the user is among the members of the wheel group.
What's the difference?
Well, the problem is sort of in nsswitch.conf:
| Code: |
passwd: files ldap
shadow: files ldap
group: files ldap
|
See how it checks the files before it checks ldap? Well, a wheel group exists in the local files, so since thats found it doesn't check ldap. Except none of my users exsist in the local files, so they surely arent members of wheel according to /etc/group
First solution:
Change /etc/nsswitch.conf to the following:
| Code: |
passwd: files ldap
shadow: files ldap
group: ldap files
|
After some further thinking, and desiring to not have every single group lookup ever go to LDAP, I changed nsswitch.conf back and commented the wheel group out of the local /etc/group.
I say its a sorta solution cuz it seems like this is not a universal fix. I suppose it shows that its good practice to separate as much as possible ldap users&groups and local users&groups, but what if that wasn't possible?
Consider the portage group: you dont want system users in the LDAP directory so you delete the user "portage" from LDAP. But as a user you do want to test emerge output from your regular account so you keep the portage group and add certain users to it. Of course the local machines still have the portage user, but they also have the portage group. So now you have two separate portage groups, one which has the regular user and one which has the portage user. What's to be done?
I suppose the proper solution is for nss to union the group memberships somehow... but that sounds very messy. Perhaps it should just be accepted as a limitation of nss.
[Note that the example of portage is complete BS for 2 reasons: 1. The portage user _owns_ the portage files so it doesnt matter a whit what group he belongs to and 2. portage is nice and checks if a user is a member of a group not if a groups members include a user] |
|
| Back to top |
|
|
oleo
Tux's lil' helper
Joined: 09 Nov 2004
Posts: 117
|
| Posted: Mon Jul 04, 2005 3:08 pm Post subject: [SOLVED] |
|
|
I also have the same problem, but I solved it!!! 
This is the reference: http://ldots.org/ldap/
...and here my /etc/pam.d/su file: | Code: | #%PAM-1.0
auth sufficient /lib/security/pam_rootok.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_wheel.so use_uid
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
account sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_env.so
session sufficient /lib/security/pam_ldap.so
session optional /lib/security/pam_xauth.so
|
Any other line is commented! Bye and good luck! |
|
| Back to top |
|
|
drak
n00b
Joined: 18 Jun 2003
Posts: 40
|
| Posted: Wed Feb 28, 2007 2:21 pm Post subject: Re: [SOLVED] |
|
|
I don't think you have solved it! Unfortunately this doesn't work as it should.
| Code: |
auth sufficient /lib/security/pam_ldap.so
|
means that if the user can be authenticated against ldap it will allow the user to su, this does not check that the user is in the wheel group and as such you may as well comment out the line.
| Code: |
auth required /lib/security/pam_wheel.so use_uid
|
|
|
| Back to top |
|
|
|
Networking & Security
