Re: Nis Netgroups and access.conf not quite working as advertised.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Try a couple of things..

change the triple
(ldap02,,inside.exampledomain.com)

to read

(ldap02,,)

If that works, try changing it to read:

(ldap02,,exampledomain.com)

If that works, then NIS netgroups may not be able to work with subdomains.

Dan-

Michael Montgomery wrote:

I've been trying to setup and test using Nis Netgroups as a means of
access control, and have run into some difficulties.  I have two client
systems (ldap01, ldap02) setup to authenticate against an ldap database.
Pam_Ldap and everything are setup and functioning as they should with
respect to allowing users queried from the ldap database to login.  Here
are the relevant details.

(I'm using this, btw
http://directory.fedora.redhat.com/wiki/Howto:Netgroups )

[root@ldap02 security]# hostname
ldap02.inside.exampledomain.com

[root@ldap02 ~]# host ldap02.inside.exampledomain.com
ldap02.inside.theplanet.com has address 10.5.1.17

[root@ldap02 ~]# host 10.5.1.17
17.1.5.10.in-addr.arpa domain name pointer ldap02.inside.exampledomain.com

[root@ldap02 security]# getent netgroup unixisusers
unixisusers           ( , mmontgomery, )

[root@ldap02 security]# getent netgroup unixissystems
unixissystems         (ldap01, , inside.exampledomain.com) (ldap02, , inside.exampledomain.com)

[root@ldap02 security]# id mmontgomery
uid=1000(mmontgomery) gid=10000(UnixIS) groups=10000(UnixIS)

[root@ldap02 security]# tail access.conf  | grep -v '#'
+ : root : LOCAL
+ : mmont : ALL
+ : @unixisusers@@unixissystems : ALL
- : ALL : ALL

[root@ldap02 pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     required      /lib/security/$ISA/pam_access.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     required      /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=077
session     optional      /lib/security/$ISA/pam_ldap.so

When trying to login remotely, I get this:

/var/log/messages:
Jan  9 16:17:19 ldap02 pam_access[1552]: access denied for user `mmontgomery' from `202.10-5-1.inside.exampledomain.com'

Adding this to access.conf, makes it work though:

+ : @unixisusers : ALL

Does anyone have any ideas what I'm overlooking here?
Thanks

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux