From owner-freebsd-stable@FreeBSD.ORG Tue Aug 21 21:29:25 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2C1A816A417 for ; Tue, 21 Aug 2007 21:29:25 +0000 (UTC) (envelope-from rbsfou@yahoo.co.uk) Received: from smtp009.mail.ukl.yahoo.com (smtp009.mail.ukl.yahoo.com [217.12.11.63]) by mx1.freebsd.org (Postfix) with SMTP id 9E39913C48D for ; Tue, 21 Aug 2007 21:29:24 +0000 (UTC) (envelope-from rbsfou@yahoo.co.uk) Received: (qmail 35150 invoked from network); 21 Aug 2007 21:02:43 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.uk; h=Received:X-YMail-OSG:Mime-Version:In-Reply-To:References:Content-Type:Message-Id:Content-Transfer-Encoding:From:Subject:Date:To:X-Mailer; b=HN67DpAnOWfNIAD1gMR4AP4XudBtnO8dS2tIod+XqskIqEg3wtTUHbx9I1F3CZpMoudVoGXExVuS1Wn362ipOi8lDT0w5DA9tPPJvKkEJdJsMckA7UsvWloY2gwuR3zTJLZJ8rpwwxr6Phhh5DG+WmbR4fsxVZyetMqFg0+NhXY= ; Received: from unknown (HELO ?192.168.101.169?) (rbsfou@82.34.33.119 with plain) by smtp009.mail.ukl.yahoo.com with SMTP; 21 Aug 2007 21:02:43 -0000 X-YMail-OSG: 1Ql7ZckVM1mJDs2BqOSMqPVkX92kHTCJMNwCWXLzac_295B4Mk0Vt9hwhcflnRisghG.B1njLBSz5YJf58VyK9B8KPJTrj2.4.N0du3drT3abLUFqsxztD6NBtQ- Mime-Version: 1.0 (Apple Message framework v752.2) In-Reply-To: References: <20070821195043.GA1464@roadrunner.spoerlein.net> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <64A1102C-0697-4C4D-AF3B-B1F2ED224792@yahoo.co.uk> Content-Transfer-Encoding: 7bit From: Richard Foulkes Date: Tue, 21 Aug 2007 22:02:42 +0100 To: freebsd-stable@freebsd.org X-Mailer: Apple Mail (2.752.2) Subject: Re: pam_group vs. multiple group lines X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Aug 2007 21:29:25 -0000 Ok, so how are you supposed to control membership of the wheel group via ldap? Ok, you COULD remove the local wheel entry in /etc/group, but this would probably be a bad idea if the ldap server were unavailable. I've had a similar problem to this where group names are duplicated across different operating systems (i use gentoo, freebsd and ubuntu on my network) but the gid's are different. For instance the 'audio' group on gentoo has a different gid to the 'audio' group on ubuntu. This would appear to have something to do with nss_base_group configuration option in the ldap.conf file used by nss_ldap and pam_ldap - something to do with the "search scope" - whereby i can configure the ldap.conf file for one os to look a sub-tree of my "groups" ou for additional groups specific to that OS - but documentation on the PADL site on this topic is almost non-existant! Can anyone help? On 21 Aug 2007, at 21:24, Chuck Swiger wrote: > On Aug 21, 2007, at 12:50 PM, Ulrich Spoerlein wrote: >> I found this while trying to migrate groups into LDAP, but you don't >> need LDAP to reproduce this, simply place the following in /etc/group >> >> wheel:*:0:root >> wheel:*:0:us > > That's a misconfiguration. From "man 5 group": > > The group field is the group name used for granting file access > to users > who are members of the group. The gid field is the number > associated > with the group name. They should both be unique across the > system (and > ^^^^^^^^^^^^^^^^^^^^^ > often across a group of systems) since they control file access. > > -- > -Chuck > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable- > unsubscribe@freebsd.org"