Nis Netgroups and access.conf not quite working as advertised.

mmontgomery at theplanet.com (Michael Montgomery) · Mon, 09 Jan 2006 16:22:17 -0600

I've been trying to setup and test using Nis Netgroups as a means of
access control, and have run into some difficulties.  I have two client
systems (ldap01, ldap02) setup to authenticate against an ldap database.
Pam_Ldap and everything are setup and functioning as they should with
respect to allowing users queried from the ldap database to login.  Here
are the relevant details.

(I'm using this, btw
http://directory.fedora.redhat.com/wiki/Howto:Netgroups )

[root at ldap02 security]# hostname
ldap02.inside.exampledomain.com

[root at ldap02 ~]# host ldap02.inside.exampledomain.com
ldap02.inside.theplanet.com has address 10.5.1.17

[root at ldap02 ~]# host 10.5.1.17
17.1.5.10.in-addr.arpa domain name pointer ldap02.inside.exampledomain.com

[root at ldap02 security]# getent netgroup unixisusers
unixisusers           ( , mmontgomery, )

[root at ldap02 security]# getent netgroup unixissystems
unixissystems         (ldap01, , inside.exampledomain.com) (ldap02, , inside.exampledomain.com)

[root at ldap02 security]# id mmontgomery
uid=1000(mmontgomery) gid=10000(UnixIS) groups=10000(UnixIS)

[root at ldap02 security]# tail access.conf  | grep -v '#'
+ : root : LOCAL
+ : mmont : ALL
+ : @unixisusers@@unixissystems : ALL
- : ALL : ALL

[root at ldap02 pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     required      /lib/security/$ISA/pam_access.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     required      /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=077
session     optional      /lib/security/$ISA/pam_ldap.so

When trying to login remotely, I get this:

/var/log/messages:
Jan  9 16:17:19 ldap02 pam_access[1552]: access denied for user `mmontgomery' from `202.10-5-1.inside.exampledomain.com'

Adding this to access.conf, makes it work though:

+ : @unixisusers : ALL

Does anyone have any ideas what I'm overlooking here?  

Thanks