Date: Tue, 21 Aug 2007 17:18:51 -0700 From: Chuck Swiger <cswiger@mac.com> To: Richard Foulkes <rbsfou@yahoo.co.uk> Cc: freebsd-stable@freebsd.org Subject: Re: pam_group vs. multiple group lines Message-ID: <1D83A750-03FD-49EF-B99D-BA9B7F7E7BD0@mac.com> In-Reply-To: <64A1102C-0697-4C4D-AF3B-B1F2ED224792@yahoo.co.uk> References: <20070821195043.GA1464@roadrunner.spoerlein.net> <A77859AB-FF17-4FBA-8B2C-462B129D84A3@mac.com> <64A1102C-0697-4C4D-AF3B-B1F2ED224792@yahoo.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 21, 2007, at 2:02 PM, Richard Foulkes wrote: > Ok, so how are you supposed to control membership of the wheel > group via ldap? Ok, you COULD remove the local wheel entry in /etc/ > group, but this would probably be a bad idea if the ldap server > were unavailable. You've aptly summarized my thoughts on the matter-- I would not rely on LDAP to provide information about root or the wheel group. > I've had a similar problem to this where group names are duplicated > across different operating systems (i use gentoo, freebsd and > ubuntu on my network) but the gid's are different. For instance the > 'audio' group on gentoo has a different gid to the 'audio' group on > ubuntu. This would appear to have something to do with > nss_base_group configuration option in the ldap.conf file used by > nss_ldap and pam_ldap - something to do with the "search scope" - > whereby i can configure the ldap.conf file for one os to look a sub- > tree of my "groups" ou for additional groups specific to that OS - > but documentation on the PADL site on this topic is almost non- > existant! > > Can anyone help? The solutions to these problems are somewhat painful; looking into the experience of those using YP/NIS or NetInfo will probably give some insight which applies to using the newfangled directory services (aka "LDAP", "Active Directory", "Open Directory", etc). You can replace the existing flatfile groups with a unified version which your site is happy with across all of the platforms you use, and then use "find -nogroup" and things like mtree or rsync to reset the permissions appropriately. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1D83A750-03FD-49EF-B99D-BA9B7F7E7BD0>