From owner-freebsd-stable@FreeBSD.ORG Wed Aug 22 17:23:34 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DA3FE16A417 for ; Wed, 22 Aug 2007 17:23:34 +0000 (UTC) (envelope-from uspoerlein@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.191]) by mx1.freebsd.org (Postfix) with ESMTP id 4230713C4B4 for ; Wed, 22 Aug 2007 17:23:33 +0000 (UTC) (envelope-from uspoerlein@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so208797nfb for ; Wed, 22 Aug 2007 10:23:32 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:received:received:date:from:to:cc:subject:message-id:mail-followup-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent; b=jZNxhN81YM9LSsSSES/lV9XS47K0eoQL7csyTY5P6pRCthqg2dHaJIRnPMJurAs1IT1ITyW6lzZCSnnST50Ft9FQUBxMsNmtI0i91l86frYv+2q90D9MemJxNgXSwXEzHCIA3c/wOFesWqithh5Vum3W1PI6oSoi19PiJxDJzB4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:date:from:to:cc:subject:message-id:mail-followup-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent; b=flMLVzAbg/5gelrlvZP0Wfktojxf+7AV+kknvMB84bGPJHqMOUCj92oKjl2X/KSrMPAJR2xDEgQHExNKeKANSzWcULwKvuhDSAvRDUF4Z9H8ZbCL0KDq/Bll4wVUt6itAmILiZD2KeU/jcGub85k4dJHlR2qn/7fdbx5sntqpv8= Received: by 10.86.77.5 with SMTP id z5mr665774fga.1187803412055; Wed, 22 Aug 2007 10:23:32 -0700 (PDT) Received: from roadrunner.spoerlein.net ( [85.180.142.240]) by mx.google.com with ESMTPS id j12sm1714169fkf.2007.08.22.10.23.30 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 22 Aug 2007 10:23:31 -0700 (PDT) Received: from roadrunner.spoerlein.net (localhost [127.0.0.1]) by roadrunner.spoerlein.net (8.14.1/8.14.1) with ESMTP id l7MHMDur002509; Wed, 22 Aug 2007 19:22:13 +0200 (CEST) (envelope-from uspoerlein@gmail.com) Received: (from q@localhost) by roadrunner.spoerlein.net (8.14.1/8.14.1/Submit) id l7MHMCUf002508; Wed, 22 Aug 2007 19:22:12 +0200 (CEST) (envelope-from uspoerlein@gmail.com) Date: Wed, 22 Aug 2007 19:22:12 +0200 From: Ulrich Spoerlein To: "Patrick M. Hausen" Message-ID: <20070822172212.GB1426@roadrunner.spoerlein.net> Mail-Followup-To: "Patrick M. Hausen" , Chuck Swiger , Richard Foulkes , freebsd-stable@freebsd.org References: <20070821195043.GA1464@roadrunner.spoerlein.net> <64A1102C-0697-4C4D-AF3B-B1F2ED224792@yahoo.co.uk> <1D83A750-03FD-49EF-B99D-BA9B7F7E7BD0@mac.com> <7ad7ddd90708220053k147f4c5cq87430a4ee897180d@mail.gmail.com> <20070822082840.GB74165@hugo10.ka.punkt.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070822082840.GB74165@hugo10.ka.punkt.de> User-Agent: Mutt/1.5.15 (2007-04-06) Cc: freebsd-stable@freebsd.org, Richard Foulkes Subject: Re: pam_group vs. multiple group lines X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2007 17:23:34 -0000 On Wed, 22.08.2007 at 10:28:40 +0200, Patrick M. Hausen wrote: > On Wed, Aug 22, 2007 at 09:53:42AM +0200, Ulrich Spoerlein wrote: > > On 8/22/07, Chuck Swiger wrote: > > > On Aug 21, 2007, at 2:02 PM, Richard Foulkes wrote: > > > > Ok, so how are you supposed to control membership of the wheel > > > > group via ldap? Ok, you COULD remove the local wheel entry in /etc/ > > > > group, but this would probably be a bad idea if the ldap server > > > > were unavailable. > > > > > > You've aptly summarized my thoughts on the matter-- I would not rely > > > on LDAP to provide information about root or the wheel group. > > > > That is exactly the gist of my question. Of course I know that a group > > oneliner is the way to go. However, I saw people suggest splitting > > groups into multiple lines, if the lines are too long or too many > > groups per line (something to do with the /etc/group parser, I guess). > > > > Anyway, I want the LDAP groups to *augment* system groups. Removing > > wheel from /etc/group and relying on a complex network service .... > > not funny. > > We do not use LDAP yet, but have been using NIS in our internal > office network for years. If you use the magic "+" token to merge > your NIS database with the static files for passwd and group > information, then I'm not using the compat setting, my nsswitch.conf contains passwd: files ldap group: files ldap > _if_ the group entry in the static file does not contain any users > _then_ the information from NIS is merged in > > So you can keep a "wheel" group around as the _primary_ group > for root, toor, whatnot ... and all the additional members > that have "wheel" as an auxiliary group come from NIS. > > Possibly this works for LDAP, too? IMHO at least it should ;-)) THANK YOU! It is indeed working for LDAP too. But it fails for sudo(8). Luckily I could replace the %wheel directive with a few user id directives. It's still a shortcoming of some sort and I guess I'll file a PR if noone else has any more information on the issue. getent group now has the following wheel entries % getent group|grep wheel wheel:*:0 wheel:*:0:us,root As I said, su(1) is happy, sudo(8) not yet. Cheers, Ulrich Spoerlein -- It is better to remain silent and be thought a fool, than to speak, and remove all doubt.