[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [rhelv5-list] membership in NIS 10(wheel) group doesn't allow "su -" if pam_wheel.so is enabled in /etc/pam.d/su

> On RHEL4 and 5 if "id username" shows that the user is in group
> 10(wheel) which RHEL grabbed from NIS groups since /etc/nsswitch.conf
> has "group files nis", the user cannot "su -" into the root account
> after entering the root password. The only thing that works is if the
> user is in the wheel group under /etc/group on the local machine.

As far as I am aware, group membership from two different sources do not
add together. The group in the first source found is the one that is

e.g. Let's say I have:



If you have "group files nis" then user{1,2,3} are members, but user4 is
not. If you have "group nis files" then user{2,3,4} is a member, but
user1 is not.

I've run into this problem when groups in LDAP accidentally duplicate
the standard ones in /etc/group 

> We
> also tried "group nis files" without success. We have the following
> line uncommented in /etc/pam.d/su:
> auth       required     /lib/security/$ISA/pam_wheel.so use_uid

That is strange given what I believe above... did you disable nscd
first? I confess that I have no idea about pam_wheel - it may be that it
*always* reads the local /etc/group.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]