Date: Wed, 22 Aug 2007 19:22:12 +0200 From: Ulrich Spoerlein <uspoerlein@gmail.com> To: "Patrick M. Hausen" <hausen@punkt.de> Cc: freebsd-stable@freebsd.org, Richard Foulkes <rbsfou@yahoo.co.uk> Subject: Re: pam_group vs. multiple group lines Message-ID: <20070822172212.GB1426@roadrunner.spoerlein.net> In-Reply-To: <20070822082840.GB74165@hugo10.ka.punkt.de> References: <20070821195043.GA1464@roadrunner.spoerlein.net> <A77859AB-FF17-4FBA-8B2C-462B129D84A3@mac.com> <64A1102C-0697-4C4D-AF3B-B1F2ED224792@yahoo.co.uk> <1D83A750-03FD-49EF-B99D-BA9B7F7E7BD0@mac.com> <7ad7ddd90708220053k147f4c5cq87430a4ee897180d@mail.gmail.com> <20070822082840.GB74165@hugo10.ka.punkt.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 22.08.2007 at 10:28:40 +0200, Patrick M. Hausen wrote: > On Wed, Aug 22, 2007 at 09:53:42AM +0200, Ulrich Spoerlein wrote: > > On 8/22/07, Chuck Swiger <cswiger@mac.com> wrote: > > > On Aug 21, 2007, at 2:02 PM, Richard Foulkes wrote: > > > > Ok, so how are you supposed to control membership of the wheel > > > > group via ldap? Ok, you COULD remove the local wheel entry in /etc/ > > > > group, but this would probably be a bad idea if the ldap server > > > > were unavailable. > > > > > > You've aptly summarized my thoughts on the matter-- I would not rely > > > on LDAP to provide information about root or the wheel group. > > > > That is exactly the gist of my question. Of course I know that a group > > oneliner is the way to go. However, I saw people suggest splitting > > groups into multiple lines, if the lines are too long or too many > > groups per line (something to do with the /etc/group parser, I guess). > > > > Anyway, I want the LDAP groups to *augment* system groups. Removing > > wheel from /etc/group and relying on a complex network service .... > > not funny. > > We do not use LDAP yet, but have been using NIS in our internal > office network for years. If you use the magic "+" token to merge > your NIS database with the static files for passwd and group > information, then I'm not using the compat setting, my nsswitch.conf contains passwd: files ldap group: files ldap > _if_ the group entry in the static file does not contain any users > _then_ the information from NIS is merged in > > So you can keep a "wheel" group around as the _primary_ group > for root, toor, whatnot ... and all the additional members > that have "wheel" as an auxiliary group come from NIS. > > Possibly this works for LDAP, too? IMHO at least it should ;-)) THANK YOU! It is indeed working for LDAP too. But it fails for sudo(8). Luckily I could replace the %wheel directive with a few user id directives. It's still a shortcoming of some sort and I guess I'll file a PR if noone else has any more information on the issue. getent group now has the following wheel entries % getent group|grep wheel wheel:*:0 wheel:*:0:us,root As I said, su(1) is happy, sudo(8) not yet. Cheers, Ulrich Spoerlein -- It is better to remain silent and be thought a fool, than to speak, and remove all doubt.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070822172212.GB1426>