[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [rhelv5-list] membership in NIS 10(wheel) group doesn't allow "su -" if pam_wheel.so is enabled in /etc/pam.d/su



> On RHEL4 and 5 if "id username" shows that the user is in group
> 10(wheel) which RHEL grabbed from NIS groups since /etc/nsswitch.conf
> has "group files nis", the user cannot "su -" into the root account
> after entering the root password. The only thing that works is if the
> user is in the wheel group under /etc/group on the local machine.

As far as I am aware, group membership from two different sources do not
add together. The group in the first source found is the one that is
used.

e.g. Let's say I have:

NIS:
foo:x:111:user1,user2,user3

file:
foo:x:111:user2,user3,user4

If you have "group files nis" then user{1,2,3} are members, but user4 is
not. If you have "group nis files" then user{2,3,4} is a member, but
user1 is not.

I've run into this problem when groups in LDAP accidentally duplicate
the standard ones in /etc/group 

> We
> also tried "group nis files" without success. We have the following
> line uncommented in /etc/pam.d/su:
> 
> auth       required     /lib/security/$ISA/pam_wheel.so use_uid

That is strange given what I believe above... did you disable nscd
first? I confess that I have no idea about pam_wheel - it may be that it
*always* reads the local /etc/group.

--
Sam


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]