Date: Thu, 11 Dec 2008 12:00:04 -0500 (EST) From: "Dan Mahoney, System Admin" <danm@prime.gushi.org> To: questions@freebsd.org Cc: hackers@freebsd.org Subject: (no subject) Message-ID: <alpine.BSF.2.00.0812111140210.32947@prime.gushi.org>
next in thread | raw e-mail | index | archive | help
Okay, new problem with regard to netgroups, NIS, and Pam: Given the following situation: * I want to be able to have su work normally in the event of an NIS disconnect, since I will likely need to su to fix said disconnect. * The wheel group needs to stay local * I want su to still use group ownership as a check I recently could not get an admin account (defined in NIS) to su to root. Even though "groups username" showed he was in wheel (and the wheel group has been propagated into NIS), pam_group and pw groupshow show him as not.) This is probably because the local wheel group overrode the NIS wheel group. (I'm not that thrilled by having the wheel group in NIS anyway). Since pam_group is "requisite", there's no easy way to call it multiple times, and no easy pam syntax to say "one of these two must pass". Required won't help, Otherwise I'd simply define an extra group, call it NISwheel or something, and configure access accordingly. What I instead would propose is for pam_group to take an optional argument list instead of a single group (or possibly, multiple group= requirements). Doing something with pam_exec is an option here as well, but I feel this functionality should be fairly elementary to add, moving forward. -Dan -- "You're a daddy. I'm a mommy. She's our baby. Deal with it." -Cali, 11/7/02, about 1:35 AM --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.0812111140210.32947>