Matthew J. Salerno wrote:
5.2 x86_64
Samba: samba-3.0.28-0.el5.8
PAM: pam-0.99.6.2-3.27.el5
The server is successfully joined to AD and AD users can log in with no issues.� The issue I am having has to do with the su command.� I want to allow only a handful of groups to be able to use the su command.� I updated the /etc/pam/su as shown below, but I am getting the following error in my secure log:
su: pam_listfile(su-l:auth): Refused user root for service su-l
getent group/passwd are both working and sudo works with the groups as well,
just not pam_listfile.so.� What's worse is that if I remove the line with
the�pam_listfile.so and use pam_wheel and specify the domain group, it works.�
So by deduction, the issue has to�be with the pam_listfile.so module config.� I
know that I cannot be the only one who has run into this.�Also, this fails for
local users in the wheel group.
If I add the root group, it looks like every user can su, so there is no gain.
Does anyone have an alternative or see an error in my config?
I've not willingly used su since I discovered sudo some years ago, and
sudo is the standard way of controlling privileged access on ubuntu and
Mac OS X.
I think the model where every administrator has to know the root
password is flawed. By default, sudo requires a user's own password, and
it's somewhat configurable as to what users can do, and importantly to
you, rules are readily applied to users in particular groups. For
example, I have a couple of CGI scripts that can update firewall rules.
Sudo allows the web server to run the scripts without a password, but
other users cannot use them to update the firewall, unless they're in a
group with that privilege.
--
Cheers
John
-- spambait
[email protected] [email protected]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
