On 10/22/2009 08:20 AM, Matthew J. Salerno wrote:
5.2 x86_64
Samba: samba-3.0.28-0.el5.8
PAM: pam-0.99.6.2-3.27.el5
The server is successfully joined to AD and AD users can log in with no issues.
The issue I am having has to do with the su command. I want to allow only a
handful of groups to be able to use the su command. I updated the /etc/pam/su
as shown below, but I am getting the following error in my secure log:
su: pam_listfile(su-l:auth): Refused user root for service su-l
getent group/passwd are both working and sudo works with the groups as well,
just not pam_listfile.so. What's worse is that if I remove the line with the
pam_listfile.so and use pam_wheel and specify the domain group, it works. So
by deduction, the issue has to be with the pam_listfile.so module config. I
know that I cannot be the only one who has run into this. Also, this fails for
local users in the wheel group.
If I add the root group, it looks like every user can su, so there is no gain.
Does anyone have an alternative or see an error in my config?
I've always used the pam_winbind.so modules to do pam related auth
tasks. It supports a require_membership_of=[SID or NAME] option. Which
you could use for your domain groups. This however, doesn't let you use
a file of groups.
HTH
--
Tim
http://linux.die.net/man/7/pam_winbind
Thanks
# Works in /etc/pam.d/su
pam_wheel.so use_uid group=DOMAIN-operations
# /etc/pam.d/su
auth sufficient pam_rootok.so
auth required pam_listfile.so onerr=fail item=user
sense=allow file=/etc/security/suauthgrp.allow
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
# /etc/security/suauthgrp.allow - 640
wheel
DOMAIN-server_ops
DOMAIN-operations
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
