[Fedora-directory-users] Nis Netgroups and access.conf not quite working as advertised.
Michael Montgomery
mmontgomery at theplanet.com
Mon Jan 9 22:22:17 UTC 2006
I've been trying to setup and test using Nis Netgroups as a means of
access control, and have run into some difficulties. I have two client
systems (ldap01, ldap02) setup to authenticate against an ldap database.
Pam_Ldap and everything are setup and functioning as they should with
respect to allowing users queried from the ldap database to login. Here
are the relevant details.
(I'm using this, btw
http://directory.fedora.redhat.com/wiki/Howto:Netgroups )
[root at ldap02 security]# hostname
ldap02.inside.exampledomain.com
[root at ldap02 ~]# host ldap02.inside.exampledomain.com
ldap02.inside.theplanet.com has address 10.5.1.17
[root at ldap02 ~]# host 10.5.1.17
17.1.5.10.in-addr.arpa domain name pointer ldap02.inside.exampledomain.com
[root at ldap02 security]# getent netgroup unixisusers
unixisusers ( , mmontgomery, )
[root at ldap02 security]# getent netgroup unixissystems
unixissystems (ldap01, , inside.exampledomain.com) (ldap02, , inside.exampledomain.com)
[root at ldap02 security]# id mmontgomery
uid=1000(mmontgomery) gid=10000(UnixIS) groups=10000(UnixIS)
[root at ldap02 security]# tail access.conf | grep -v '#'
+ : root : LOCAL
+ : mmont : ALL
+ : @unixisusers@@unixissystems : ALL
- : ALL : ALL
[root at ldap02 pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_access.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=077
session optional /lib/security/$ISA/pam_ldap.so
When trying to login remotely, I get this:
/var/log/messages:
Jan 9 16:17:19 ldap02 pam_access[1552]: access denied for user `mmontgomery' from `202.10-5-1.inside.exampledomain.com'
Adding this to access.conf, makes it work though:
+ : @unixisusers : ALL
Does anyone have any ideas what I'm overlooking here?
Thanks
More information about the Fedora-directory-users
mailing list