pam_group vs. multiple group lines

Chuck Swiger cswiger at
Tue Aug 21 17:19:03 PDT 2007

On Aug 21, 2007, at 2:02 PM, Richard Foulkes wrote:
> Ok, so how are you supposed to control membership of the wheel  
> group via ldap? Ok, you COULD remove the local wheel entry in /etc/ 
> group, but this would probably be a bad idea if the ldap server  
> were unavailable.

You've aptly summarized my thoughts on the matter-- I would not rely  
on LDAP to provide information about root or the wheel group.

> I've had a similar problem to this where group names are duplicated  
> across different operating systems (i use gentoo, freebsd and  
> ubuntu on my network) but the gid's are different. For instance the  
> 'audio' group on gentoo has a different gid to the 'audio' group on  
> ubuntu. This would appear to have something to do with  
> nss_base_group configuration option in the ldap.conf file used by  
> nss_ldap and pam_ldap - something to do with the "search scope" -  
> whereby i can configure the ldap.conf file for one os to look a sub- 
> tree of my "groups" ou for additional groups specific to that OS -  
> but documentation on the PADL site on this topic is almost non- 
> existant!
> Can anyone help?

The solutions to these problems are somewhat painful; looking into  
the experience of those using YP/NIS or NetInfo will probably give  
some insight which applies to using the newfangled directory services  
(aka "LDAP", "Active Directory", "Open Directory", etc).  You can  
replace the existing flatfile groups with a unified version which  
your site is happy with across all of the platforms you use, and then  
use "find -nogroup" and things like mtree or rsync to reset the  
permissions appropriately.


More information about the freebsd-stable mailing list