Our netgroups look like:
login_samplehost.example.com (-, apollock, )
Our access.conf looks like:
To be clear, we have per-host netgroups.
As of the change made in http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_access/pam_access.c?view=diff&pathrev=Linux-PAM-1_0_90&r1=1.29&r2=1.30
Significant line change (pam_access.c) (lines 512-516):
return (netgroup_match (pamh, tok + 1, (char *) 0, string, item->debug));
return (netgroup_match (pamh, tok + 1, item->hostname, string, item->debug));
pam_access now wants the netgroup to look like
login_samplehost.example.com (, apollock, )
or our use case fails.
Apparently this change was made based on a user request - http://www.redhat.com/archives/pam-list/2008-April/msg00032.html because this user seemed to want to have a single netgroup for all hosts that arbitrated access, based on the user and host components of the netgroup triple.
That said, trying to mix users and hosts is incorrect use of a netgroup. http://docs.sun.com/app/docs/doc/806-1387/6jam692ck?a=view states that
admins (altair, hauri), (sirius,juanita,sales)
is the equivalent of
admins (altair,-), (sirius,-), (-,hauri), (-,juanita,sales)
so it comes down to what you're querying a netgroup for, users or hosts. Trying to mix the two will give undesired results.
Because the "-" character will not match any specific username or hostname, it is commonly used as a placeholder that will match only wildcarded membership queries. So, for example:
onlyhosts (host1,-,our.domain) (host2,-,our.domain)
onlyusers (-,john,our.domain) (-,linda,our.domain)
effectively define netgroups containing only hosts and only users, respectively. Any other string that is guaranteed not to be a legal username or hostname will also suffice for this purpose.
Use of placeholders will improve search performance.
http://www.softpanorama.org/Net/Application_layer/NIS/nis_netgroups.shtml also says:
Though netgroup pairs (or triples) group together hostnames, usernames and domainnames, nothing really reads them in that manner. They exist only in NIS maps. The file /etc/netgroup only exists in order to be your 'flat' source file.
It is important to understand that there is no necessary relationship between the machine and user elements in an entry and such definitions usually should be split into two: one for users and one for servers. admins (-,john), (-,nick)It is possible to omit dash and use just leading comma. But if this netgroup were ever accidentally included in a list of hosts rather than users, the blank space would be interpreted as a wildcard meaning any host. For example, if someone used this netgroup in a -access list in the /etc/exports file, any host would have access to the exported directory. For this reason, if a netgroup is used strictly as a list of users, you should always put a dash in the host field, as in example above.
The following netgroup will not do what you expect:
bogus-group (machine1,user1), (machine2,user2) # not what you might think !!!
You might think this means user1 at machine1 and user2 at machine2, but in actuality, it is a netgroup that defines either two users (user1 and user2) if used in place were configuration file expects users or two machines (machine1 and machine2) is uses when particular configuration file expects list of hosts.
So I'm going to file a bug about this, but I wanted to provide the full background here for discussion also.
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list