pam_group vs. multiple group lines

Ulrich Spoerlein uspoerlein at gmail.com
Wed Aug 22 10:23:34 PDT 2007 

On Wed, 22.08.2007 at 10:28:40 +0200, Patrick M. Hausen wrote:
> On Wed, Aug 22, 2007 at 09:53:42AM +0200, Ulrich Spoerlein wrote:
> > On 8/22/07, Chuck Swiger <cswiger at mac.com> wrote:
> > > On Aug 21, 2007, at 2:02 PM, Richard Foulkes wrote:
> > > > Ok, so how are you supposed to control membership of the wheel
> > > > group via ldap? Ok, you COULD remove the local wheel entry in /etc/
> > > > group, but this would probably be a bad idea if the ldap server
> > > > were unavailable.
> > >
> > > You've aptly summarized my thoughts on the matter-- I would not rely
> > > on LDAP to provide information about root or the wheel group.
> > 
> > That is exactly the gist of my question. Of course I know that a group
> > oneliner is the way to go. However, I saw people suggest splitting
> > groups into multiple lines, if the lines are too long or too many
> > groups per line (something to do with the /etc/group parser, I guess).
> > 
> > Anyway, I want the LDAP groups to *augment* system groups. Removing
> > wheel from /etc/group and relying on a complex network service ....
> > not funny.
> 
> We do not use LDAP yet, but have been using NIS in our internal
> office network for years. If you use the magic "+" token to merge
> your NIS database with the static files for passwd and group
> information, then

I'm not using the compat setting, my nsswitch.conf contains

passwd: files ldap
group: files ldap

> _if_ the group entry in the static file does not contain any users
> _then_ the information from NIS is merged in
> 
> So you can keep a "wheel" group around as the _primary_ group
> for root, toor, whatnot ... and all the additional members
> that have "wheel" as an auxiliary group come from NIS.
> 
> Possibly this works for LDAP, too? IMHO at least it should ;-))

THANK YOU! It is indeed working for LDAP too. But it fails for sudo(8).
Luckily I could replace the %wheel directive with a few user id
directives.

It's still a shortcoming of some sort and I guess I'll file a PR if
noone else has any more information on the issue.

getent group now has the following wheel entries
% getent group|grep wheel
wheel:*:0
wheel:*:0:us,root

As I said, su(1) is happy, sudo(8) not yet.

Cheers,
Ulrich Spoerlein
-- 
It is better to remain silent and be thought a fool,
than to speak, and remove all doubt.

More information about the freebsd-stable mailing list