----- Original Message ---- From: Tim <[email protected]> To: Matthew J. Salerno <[email protected]>; Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list <[email protected]> Sent: Wed, October 21, 2009 6:18:52 PM Subject: Re: [rhelv5-list] RHEL 5.2 - Winbind and pam.d/su restrictions
On 10/22/2009 08:20 AM, Matthew J. Salerno wrote: > 5.2 x86_64 > Samba: samba-3.0.28-0.el5.8 > PAM: pam-0.99.6.2-3.27.el5 > > The server is successfully joined to AD and AD users can log in with no > issues. The issue I am having has to do with the su command. I want to > allow only a handful of groups to be able to use the su command. I updated > the /etc/pam/su as shown below, but I am getting the following error in my > secure log: > > su: pam_listfile(su-l:auth): Refused user root for service su-l > > getent group/passwd are both working and sudo works with the groups as well, > just not pam_listfile.so. What's worse is that if I remove the line with the > pam_listfile.so and use pam_wheel and specify the domain group, it works. So > by deduction, the issue has to be with the pam_listfile.so module config. I > know that I cannot be the only one who has run into this. Also, this fails > for local users in the wheel group. > > If I add the root group, it looks like every user can su, so there is no gain. > > Does anyone have an alternative or see an error in my config? I've always used the pam_winbind.so modules to do pam related auth tasks. It supports a require_membership_of=[SID or NAME] option. Which you could use for your domain groups. This however, doesn't let you use a file of groups. HTH -- Tim http://linux.die.net/man/7/pam_winbind > > Thanks > > # Works in /etc/pam.d/su > pam_wheel.so use_uid group=DOMAIN-operations > > # /etc/pam.d/su > auth sufficient pam_rootok.so > auth required pam_listfile.so onerr=fail item=user > sense=allow file=/etc/security/suauthgrp.allow > auth include system-auth > account sufficient pam_succeed_if.so uid = 0 use_uid quiet > account include system-auth > password include system-auth > session include system-auth > session optional pam_xauth.so > > > # /etc/security/suauthgrp.allow - 640 > wheel > DOMAIN-server_ops > DOMAIN-operations > Thanks for the feedback, the only problem I see with that module is that it does not allow you to specify multiple groups, and although it might work, I want to add local groups to the list as well. _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
