[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: rlogin/rsh/rexec & PAM



Interesting, I never seem to solve anyone's problems. but I will give
it another shot:

to go over the facts :)
on barnett-pc:

 ypmatch dapd7.houstondp netgroup.byhost

         returns a line containing houston (checked?)

 domainname 

       returns "houstondp"  (forgive me if you have   
         multiple nis domains on one box) (unchecked)


 grep netgroup /etc/nsswitch.conf

         returns a line with nis in it.. (unchecked)

 /etc/pam.d/rlogin has as the first auth line:
   auth       sufficient   /lib/security/pam_rhosts_auth.so (checked?) 

This seems to be all confirmed (except for the domainname part and
/etc/nssswitch.conf not having files first, and that file (/etc/netgroup)
redefining the netgroups.  (so just "netgroup: nis" should be okay)

I don't think there was any bugs in prior releases of glibc wrt innetgr,
but I could be wrong.

If you've shortened the problem to c code, you know it isn't pam, 
and since you don't get it working with any netgroups it's likely
not recursive netgroup problem.  

Perhaps expirimenting with a local /etc/netgroup would help... (again, if
it isn't the problem).  I've not had this problem with a similar
configuration.

It's my final try.

Kenneth

-this sig is for redhat--
    if: 
  strings /bin/more | grep \/vi
    not equal to:
  which vi
    then:
  print running redhat6.2
-------------------------



On Thu, 6 Apr 2000, Dave Barnett wrote:
> kenneth topp wrote:
> > 
> > Dave,
> Kennth:
> 
> > it should work.  try (on the machine you are trying to get to):
> Good.  I really don't want to have to manually add all these hosts.....
> 
> >  ypcat -k netgroup.byhost
> Piping to grep for 'dapd7' (my machine), I get the following:
> dapd7.houstondp dapd,houston,production
> 
> > if you don't see the map, then it's a nis error, if you see the hostname
> > of your client (suffixed with ".*"), make sure it matches the FQDN of the
> > reverse dns lookup ('who -ml' will help you get this).
> If I rlogin to the linux box (barnett-pc), and run who -ml, I get:
> barnett-pc!barnett  pts/7    Apr  6 10:12 (dapd7)
> 
> >  If it's not, then
> > there is your problem.  If you see it, you should see the list of
> > netgroups it's a member of, is the one you added to /etc/hosts.equiv
> > there.. etc. etc.
> It is.  /etc/hosts.equiv looks like:
> +@houston
> +@trusted root
> gtcserv
> dapd7
> ooms-pc
> 
> If I remove dapd7 from /etc/hosts.equiv, I cannot get in without my
> password.  The netgroup lookup is failing to answer 'true'.
> 
> Removing 'dapd7', and adding in '+@dapd' or '+@production' also makes no
> difference.
> 
> So, the only way I can get in without my password via rlogin is to add
> 'dapd7' to /etc/hosts.equiv.
> 
> 
> The netgroup nis map looks like this:
> <many other netgroups>
> <snip>
> dapd \
> <snip>
> 	( dapd6,,houstondp)\
>         ( dapd7,,houstondp)\
>         ( dapd8,,houstondp)\
> <snip>
>         ( barnett-pc,,houstondp)\
> <blank line>
> <many other netgroups>
> 
> > yp makes a reverse map for this, but there are a lot of reasons why you
> > could have trouble. from the nis map not available on the server, to
> > illegal formating in the map.  The debug techniques should help you get
> > closer to get it working correctly.
> Any other places to look?  Which library is innetgr in, do you know?  Is
> there a debug version of that library?
> 
> > Rest assured, this works under linux.  Let us know.
> >
> > Kenneth
> Cheers,
> Dave
> 
> 





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []