5.2 x86_64
Samba: samba-3.0.28-0.el5.8
PAM: pam-0.99.6.2-3.27.el5
The server is successfully joined to AD and AD users can log in with no
issues. The issue I am having has to do with the su command. I want to allow
only a handful of groups to be able to use the su command. I updated the
/etc/pam/su as shown below, but I am getting the following error in my secure
log:
su: pam_listfile(su-l:auth): Refused user root for service su-l
getent group/passwd are both working and sudo works with the groups as well,
just not pam_listfile.so. What's worse is that if I remove the line with
the pam_listfile.so and use pam_wheel and specify the domain group, it works.
So by deduction, the issue has to be with the pam_listfile.so module config. I
know that I cannot be the only one who has run into this. Also, this fails for
local users in the wheel group.
If I add the root group, it looks like every user can su, so there is no gain.
Does anyone have an alternative or see an error in my config?
Thanks
# Works in /etc/pam.d/su
pam_wheel.so use_uid group=DOMAIN-operations
# /etc/pam.d/su
auth sufficient pam_rootok.so
auth required pam_listfile.so onerr=fail item=user
sense=allow file=/etc/security/suauthgrp.allow
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
# /etc/security/suauthgrp.allow - 640
wheel
DOMAIN-server_ops
DOMAIN-operations
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
