[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Trying to Limit 'su' access to Domain Group using pam

Yeah I had actually already tried that. It gives:

[tried Admin\ Group]
no members in 'Admin\' group
PAM-Wheel[25423]: pam_parse: unknown option; Group

[tried Admin Group]
no members in 'Admin'
pam_parse: unknown option; Group

single quotes,double quotes don't work.

So not sure if I should report this as an "existing bug" or a "new feature request"  Any opinions?  Linux groups don't consider spaces in group names to be valid;however if it's going to be compatible with winbind/samba groups then it needs to support spaces.

On Thu, 2007-09-13 at 17:17 -0700, Philipoff, Andrew wrote:
Would using a backslash before the space work? Perhaps something like:

auth       required   /lib/security/$ISA/pam_wheel.so trust use_uid group=Admin\ Group


My reasoning for this is because on our AD bound RHEL systems I sometimes have to chgrp data to an AD group that has a space in the name such as Domain Users. For example to chgrp a directory called test to group Domain Users I run the following:

chgrp Domain\ Users test


Andrew Philipoff
Programmer Analyst
Information Technology Services
Department of Medicine
University of California, San Francisco


From:nahant-list-bounces redhat com [mailto:nahant-list-bounces redhat com] On Behalf Of Daniel Northam
Sent: Thursday, September 13, 2007 2:16 PM
To: Red Hat Enterprise Linux 4 (Nahant) Discussion List
Subject: Re: Trying to Limit 'su' access to Domain Group using pam


ok thanks, I will give it a try; but unfortunately all my security groups contain spaces "Domain Admins"  as an example.

On Wed, 2007-09-12 at 21:04 -0500, Chris Adams wrote:

Once upon a time, Daniel Northam <dnortham raleys com> said:
> auth       required   /lib/security/$ISA/pam_wheel.so trust use_uid group="Admin Group"
I don't think pam_wheel supports a quoted string as the group name.
Reading the source, it doesn't make any allowance for a quoted string
(it would see "Admin as the group name and Group" as a separate
unsupported option).  Try using a group name with no spaces (so no need
for quotes).

Warning: this e-mail may contain information proprietary to Raley's and is intended only for the use of the intended recipients. If the reader of this message is not an intended recipient, you are hereby notified that you have received this message in error and that any review, dissemination, distribution or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately.


nahant-list mailing list
nahant-list redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]