pam_limits not working with pam_groups

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Greetings

I have a group of workstations which are used for working with USRPs via gnuradio and matlab. gnuradio requires permissions to increase the thread priority (granted via pam_limits). Every user who uses these machines does so via LDAP accounts (which are also used on other workstations). LDAP
users are added to the usrp group via pam_groups. The limit works fine for local users and for LDAP users manually added to local usrp group (entered in /etc/group), but does not work for LDAP users who are added to the group via pam_groups. In addition, adding an LDAP user to /etc/security/limits.conf directly does not work either. Another issue that is possibly related is that calling 'id' or 'groups' from an LDAP account returns all the local groups added via pam_groups, while calling 'id $USER' or 'groups $USER' only returns the LDAP groups that the user is a member of. This makes sense, because, with no arguments, id and groups return the groups of the calling process, while with the username as an argument, it queries the user database directly.

Is pam_limits and pam_groups not interacting with each other a bug or is that design intentional? If it is intentional, are there any good workarounds for this situation?


Relevant files and command outputs:
/etc/security/limits.conf:
@usrp  - rtprio 50

/etc/security/group.conf:
*;*;*;Al0000-2400;floppy,video,audio,cdrom,plugdev,users,usrp,wireshark,vboxusers,fuse

output of 'ulimit -l -r' on LDAP user not added to usrp via pam_groups:
max locked memory       (kbytes, -l) 64
real-time priority              (-r) 0

output of 'ulimit -l -r' on local user or LDAP user added to usrp via pam_groups:
max locked memory       (kbytes, -l) 64
real-time priority              (-r) 50

Thank you for any assistance.
--
Nicolas Avrutin

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux