[Fedora-directory-users] Nis Netgroups and access.conf not quite working as advertised.
Dan Cox
dan at wep.net
Wed Jan 11 02:18:24 UTC 2006
Try a couple of things..
change the triple
(ldap02,,inside.exampledomain.com)
to read
(ldap02,,)
If that works, try changing it to read:
(ldap02,,exampledomain.com)
If that works, then NIS netgroups may not be able to work with subdomains.
Dan-
Michael Montgomery wrote:
>I've been trying to setup and test using Nis Netgroups as a means of
>access control, and have run into some difficulties. I have two client
>systems (ldap01, ldap02) setup to authenticate against an ldap database.
>Pam_Ldap and everything are setup and functioning as they should with
>respect to allowing users queried from the ldap database to login. Here
>are the relevant details.
>
>(I'm using this, btw
>http://directory.fedora.redhat.com/wiki/Howto:Netgroups )
>
>[root at ldap02 security]# hostname
>ldap02.inside.exampledomain.com
>
>[root at ldap02 ~]# host ldap02.inside.exampledomain.com
>ldap02.inside.theplanet.com has address 10.5.1.17
>
>[root at ldap02 ~]# host 10.5.1.17
>17.1.5.10.in-addr.arpa domain name pointer ldap02.inside.exampledomain.com
>
>[root at ldap02 security]# getent netgroup unixisusers
>unixisusers ( , mmontgomery, )
>
>[root at ldap02 security]# getent netgroup unixissystems
>unixissystems (ldap01, , inside.exampledomain.com) (ldap02, , inside.exampledomain.com)
>
>[root at ldap02 security]# id mmontgomery
>uid=1000(mmontgomery) gid=10000(UnixIS) groups=10000(UnixIS)
>
>[root at ldap02 security]# tail access.conf | grep -v '#'
>+ : root : LOCAL
>+ : mmont : ALL
>+ : @unixisusers@@unixissystems : ALL
>- : ALL : ALL
>
>[root at ldap02 pam.d]# cat system-auth
>#%PAM-1.0
># This file is auto-generated.
># User changes will be destroyed the next time authconfig is run.
>auth required /lib/security/$ISA/pam_env.so
>auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
>auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
>auth required /lib/security/$ISA/pam_deny.so
>
>account required /lib/security/$ISA/pam_unix.so
>account required /lib/security/$ISA/pam_access.so
>account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
>account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
>account required /lib/security/$ISA/pam_permit.so
>
>password requisite /lib/security/$ISA/pam_cracklib.so retry=3
>password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
>password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
>password required /lib/security/$ISA/pam_deny.so
>
>session required /lib/security/$ISA/pam_limits.so
>session required /lib/security/$ISA/pam_unix.so
>session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=077
>session optional /lib/security/$ISA/pam_ldap.so
>
>When trying to login remotely, I get this:
>
>/var/log/messages:
>Jan 9 16:17:19 ldap02 pam_access[1552]: access denied for user `mmontgomery' from `202.10-5-1.inside.exampledomain.com'
>
>Adding this to access.conf, makes it work though:
>
>+ : @unixisusers : ALL
>
>Does anyone have any ideas what I'm overlooking here?
>
>Thanks
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
More information about the Fedora-directory-users
mailing list