Try a couple of things.. change the triple (ldap02,,inside.exampledomain.com) to read (ldap02,,) If that works, try changing it to read: (ldap02,,exampledomain.com) If that works, then NIS netgroups may not be able to work with subdomains. Dan- Michael Montgomery wrote: >I've been trying to setup and test using Nis Netgroups as a means of >access control, and have run into some difficulties. I have two client >systems (ldap01, ldap02) setup to authenticate against an ldap database. >Pam_Ldap and everything are setup and functioning as they should with >respect to allowing users queried from the ldap database to login. Here >are the relevant details. > >(I'm using this, btw >http://directory.fedora.redhat.com/wiki/Howto:Netgroups ) > >[root at ldap02 security]# hostname >ldap02.inside.exampledomain.com > >[root at ldap02 ~]# host ldap02.inside.exampledomain.com >ldap02.inside.theplanet.com has address 10.5.1.17 > >[root at ldap02 ~]# host 10.5.1.17 >17.1.5.10.in-addr.arpa domain name pointer ldap02.inside.exampledomain.com > >[root at ldap02 security]# getent netgroup unixisusers >unixisusers ( , mmontgomery, ) > >[root at ldap02 security]# getent netgroup unixissystems >unixissystems (ldap01, , inside.exampledomain.com) (ldap02, , inside.exampledomain.com) > >[root at ldap02 security]# id mmontgomery >uid=1000(mmontgomery) gid=10000(UnixIS) groups=10000(UnixIS) > >[root at ldap02 security]# tail access.conf | grep -v '#' >+ : root : LOCAL >+ : mmont : ALL >+ : @unixisusers@@unixissystems : ALL >- : ALL : ALL > >[root at ldap02 pam.d]# cat system-auth >#%PAM-1.0 ># This file is auto-generated. ># User changes will be destroyed the next time authconfig is run. >auth required /lib/security/$ISA/pam_env.so >auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok >auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass >auth required /lib/security/$ISA/pam_deny.so > >account required /lib/security/$ISA/pam_unix.so >account required /lib/security/$ISA/pam_access.so >account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet >account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so >account required /lib/security/$ISA/pam_permit.so > >password requisite /lib/security/$ISA/pam_cracklib.so retry=3 >password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow >password sufficient /lib/security/$ISA/pam_ldap.so use_authtok >password required /lib/security/$ISA/pam_deny.so > >session required /lib/security/$ISA/pam_limits.so >session required /lib/security/$ISA/pam_unix.so >session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=077 >session optional /lib/security/$ISA/pam_ldap.so > >When trying to login remotely, I get this: > >/var/log/messages: >Jan 9 16:17:19 ldap02 pam_access[1552]: access denied for user `mmontgomery' from `202.10-5-1.inside.exampledomain.com' > >Adding this to access.conf, makes it work though: > >+ : @unixisusers : ALL > >Does anyone have any ideas what I'm overlooking here? > >Thanks > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
