From owner-freebsd-stable@FreeBSD.ORG Wed Aug 22 00:19:03 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6D8E716A41A for ; Wed, 22 Aug 2007 00:19:03 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by mx1.freebsd.org (Postfix) with ESMTP id 5632513C4A5 for ; Wed, 22 Aug 2007 00:19:03 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay13.apple.com (relay13.apple.com [17.128.113.29]) by mail-out3.apple.com (Postfix) with ESMTP id 55EF9F1B211; Tue, 21 Aug 2007 17:18:53 -0700 (PDT) Received: from relay13.apple.com (unknown [127.0.0.1]) by relay13.apple.com (Symantec Mail Security) with ESMTP id 39119294FF; Tue, 21 Aug 2007 17:18:53 -0700 (PDT) X-AuditID: 1180711d-a1a1ebb000001006-34-46cb80ece4c5 Received: from [17.214.13.96] (cswiger1.apple.com [17.214.13.96]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay13.apple.com (Symantec Mail Security) with ESMTP id 83EA1294EE; Tue, 21 Aug 2007 17:18:52 -0700 (PDT) In-Reply-To: <64A1102C-0697-4C4D-AF3B-B1F2ED224792@yahoo.co.uk> References: <20070821195043.GA1464@roadrunner.spoerlein.net> <64A1102C-0697-4C4D-AF3B-B1F2ED224792@yahoo.co.uk> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <1D83A750-03FD-49EF-B99D-BA9B7F7E7BD0@mac.com> Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Tue, 21 Aug 2007 17:18:51 -0700 To: Richard Foulkes X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAA== Cc: freebsd-stable@freebsd.org Subject: Re: pam_group vs. multiple group lines X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2007 00:19:03 -0000 On Aug 21, 2007, at 2:02 PM, Richard Foulkes wrote: > Ok, so how are you supposed to control membership of the wheel > group via ldap? Ok, you COULD remove the local wheel entry in /etc/ > group, but this would probably be a bad idea if the ldap server > were unavailable. You've aptly summarized my thoughts on the matter-- I would not rely on LDAP to provide information about root or the wheel group. > I've had a similar problem to this where group names are duplicated > across different operating systems (i use gentoo, freebsd and > ubuntu on my network) but the gid's are different. For instance the > 'audio' group on gentoo has a different gid to the 'audio' group on > ubuntu. This would appear to have something to do with > nss_base_group configuration option in the ldap.conf file used by > nss_ldap and pam_ldap - something to do with the "search scope" - > whereby i can configure the ldap.conf file for one os to look a sub- > tree of my "groups" ou for additional groups specific to that OS - > but documentation on the PADL site on this topic is almost non- > existant! > > Can anyone help? The solutions to these problems are somewhat painful; looking into the experience of those using YP/NIS or NetInfo will probably give some insight which applies to using the newfangled directory services (aka "LDAP", "Active Directory", "Open Directory", etc). You can replace the existing flatfile groups with a unified version which your site is happy with across all of the platforms you use, and then use "find -nogroup" and things like mtree or rsync to reset the permissions appropriately. -- -Chuck