On Tue, Feb 2, 2010 at 9:19 AM, Sean Carolan <scarolan at gmail.com> wrote: > Wow, fast reply Muzzol! > >>> 2. ?If there are some users who only need access to a small number of >>> servers, how would you handle that situation? >> modify /etc/security/limits.conf to your needs > > What about /etc/security/access? ?Do you think this is the best way to > accomplish this? ?Assume that I have several hundred servers, but need > to grant temporary access to a developer on a few machines to look at > some log files. ?It seems like overkill to change a file on all > servers just to allow him access to one (or a few) servers. > >> i always create users in a default generic group, but that has nothing >> to do with your error. >>> id: cannot find name for group ID 5001 >> you probably have nsswitch.conf missconfigured. > > I assigned the gid on the LDAP server but it does not exist on the > client machine. ?I have a script to be able to create private groups > on all servers, was just curious how other people dealt with this > situation. ?I may create a generic "operators" group for new users who > need access to these systems, as you mentioned. > -- > 389 users mailing list > 389-users at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > #2 a.there is also a setting in /etc/ldap.conf called pam_groupdn. This lets you define an LDAP object with multiple membe attributes to control who can login. I find it easy to use b. SSH can be told to only accept logins from a posix group (same deal just handled at a different part of the stack)
