got some feedback from the experts. if you use
--------------------------------------------------------------------------------------------------------------------------------------------
auth required /lib/security/$ISA/pam_wheel.so trust use_uid [group=Domain Admins]
--------------------------------------------------------------------------------------------------------------------------------------------
than atleast it sees the group. however; I am now getting:
------------------------------------------------------------------------------------------------------------------------------------------
PAM-Wheel[20199]: Access denied to 'useraccount' for 'root'
-------------------------------------------------------------------------------------------------------------------------------------------
HOWEVER; when I do a strace I am seeing the following:
------------------------------------------------------------------------------------------------------------------------------------------
read(4, "\204\5\0\0\1\0\0\0Systems Group\0\0\0\0\0\0\0\0\0\0\0"..., 1300) = 1300
select(5, [4], NULL, NULL, {5, 0}) = 1 (in [4], left {5, 0})
read(4, "useraccount1,useraccount2,useraccount3,useraccount4"..., 112) = 112
------------------------------------------------------------------------------------------------------------------------------------------
So its seeing the group, and the membership; but for some reason maybe hanging up here?:
------------------------------------------------------------------------------------------------------------------------------------------
readlink("/proc/self/exe", 0xbfeab350, 4095) = -1 EACCES (Permission denied)
------------------------------------------------------------------------------------------------------------------------------------------
that link works fine when I execute it as my normal user account; and as root account.
Any ideas? when I change the group to a local group; works no problem. Below is my su file
-----------------------------/etc/pam.d/su-------------------------------------------------------------
#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_stack.so service=system-auth
auth required pam_wheel.so debug [group=Domain Admins]
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
# pam_selinux.so close must be first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
# pam_selinux.so open and pam_xauth must be last two session rules
session required pam_selinux.so open
session optional pam_xauth.so
-------------------------------------------------------------------------------------------------------------
On Sat, 2007-09-15 at 08:09 +0800, John Summerfield wrote:
Daniel Northam wrote:
> Yeah I had actually already tried that. It gives:
>
> [tried Admin\ Group]
> no members in 'Admin\' group
> PAM-Wheel[25423]: pam_parse: unknown option; Group
>
> [tried Admin Group]
> no members in 'Admin'
> pam_parse: unknown option; Group
>
> single quotes,double quotes don't work.
>
>
> So not sure if I should report this as an "existing bug" or a "new
> feature request" Any opinions? Linux groups don't consider spaces in
> group names to be valid;however if it's going to be compatible with
> winbind/samba groups then it needs to support spaces.
>
>
> On Thu, 2007-09-13 at 17:17 -0700, Philipoff, Andrew wrote:
>> Would using a backslash before the space work? Perhaps something like:
>>
>> auth required /lib/security/$ISA/pam_wheel.so trust use_uid
>> group=Admin\ Group
>>
>>
>>
>> My reasoning for this is because on our AD bound RHEL systems I
>> sometimes have to chgrp data to an AD group that has a space in the
>> name such as Domain Users. For example to chgrp a directory called
>> test to group Domain Users I run the following:
>>
>> chgrp Domain\ Users test
>>
>>
>>
>>
>> Andrew Philipoff
>> Programmer Analyst
>> Information Technology Services
>> Department of Medicine
>> University of California, San Francisco
>>
>>
>>
>>
>>
>>
>> From:nahant-list-bounces redhat com
>> [mailto:nahant-list-bounces redhat com] On Behalf Of Daniel Northam
>> Sent: Thursday, September 13, 2007 2:16 PM
>> To: Red Hat Enterprise Linux 4 (Nahant) Discussion List
>> Subject: Re: Trying to Limit 'su' access to Domain Group using pam
>>
>>
>>
>>
>>
>>
>> ok thanks, I will give it a try; but unfortunately all my security
>> groups contain spaces "Domain Admins" as an example.
>>
>> On Wed, 2007-09-12 at 21:04 -0500, Chris Adams wrote:
>>
>>
>>
>> Once upon a time, Daniel Northam <dnortham raleys com> said:
>>> auth required /lib/security/$ISA/pam_wheel.so trust use_uid group="Admin Group"
>>
>> I don't think pam_wheel supports a quoted string as the group name.
>> Reading the source, it doesn't make any allowance for a quoted string
>> (it would see "Admin as the group name and Group" as a separate
>> unsupported option). Try using a group name with no spaces (so no need
>> for quotes).
I suggest RFE, and if you have someone around who can produce and test,
so much the better - it will get you going while the experts consider it.