From owner-freebsd-stable@FreeBSD.ORG Wed Aug 22 18:47:46 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DD54D16A41B for ; Wed, 22 Aug 2007 18:47:45 +0000 (UTC) (envelope-from swhetzel@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by mx1.freebsd.org (Postfix) with ESMTP id 4854B13C483 for ; Wed, 22 Aug 2007 18:47:45 +0000 (UTC) (envelope-from swhetzel@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so230193nfb for ; Wed, 22 Aug 2007 11:47:43 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=eCAYUATDgFlAe7Dmxo9pZiGQNRuaQvWU+m2O2Vdb9AtgZF6FTqD/9pu3+YqtpF6qFRQGvlfxacZbVjsk5dA6tl2kE+EcMn1uK6lMeIY7JQTvOtpcqB2BiUXcvkFhLwRR4ZDya7Ca0Gq2pG44pZul0JOm4Py1YZ4aA49Vd1hwCb0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=chpHlOCT8DEzv8jU1Y7bU4FhOh8yqxH6pvI1UagIqDvWEFMvd3VGsjDXwN+tAcSl6AsldRveSXnA+52ZVOURb3tqrNPZwVvk2QPD/jUiICReylvoXNHeNHEhWU0U9GvNeUXRDE+2Zj43cIBzikpsinJT20wAYPdcuWDZ8nbpTHY= Received: by 10.86.57.9 with SMTP id f9mr699811fga.1187808463504; Wed, 22 Aug 2007 11:47:43 -0700 (PDT) Received: by 10.86.59.6 with HTTP; Wed, 22 Aug 2007 11:47:43 -0700 (PDT) Message-ID: <790a9fff0708221147u40104228k5ff7e08180dd5b41@mail.gmail.com> Date: Wed, 22 Aug 2007 13:47:43 -0500 From: "Scot Hetzel" To: "Ulrich Spoerlein" In-Reply-To: <20070822172212.GB1426@roadrunner.spoerlein.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070821195043.GA1464@roadrunner.spoerlein.net> <64A1102C-0697-4C4D-AF3B-B1F2ED224792@yahoo.co.uk> <1D83A750-03FD-49EF-B99D-BA9B7F7E7BD0@mac.com> <7ad7ddd90708220053k147f4c5cq87430a4ee897180d@mail.gmail.com> <20070822082840.GB74165@hugo10.ka.punkt.de> <20070822172212.GB1426@roadrunner.spoerlein.net> Cc: freebsd-stable@freebsd.org Subject: Re: pam_group vs. multiple group lines X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2007 18:47:46 -0000 On 8/22/07, Ulrich Spoerlein wrote: > On Wed, 22.08.2007 at 10:28:40 +0200, Patrick M. Hausen wrote: > > On Wed, Aug 22, 2007 at 09:53:42AM +0200, Ulrich Spoerlein wrote: > > > That is exactly the gist of my question. Of course I know that a group > > > oneliner is the way to go. However, I saw people suggest splitting > > > groups into multiple lines, if the lines are too long or too many > > > groups per line (something to do with the /etc/group parser, I guess). > > > > > > Anyway, I want the LDAP groups to *augment* system groups. Removing > > > wheel from /etc/group and relying on a complex network service .... > > > not funny. > > > > We do not use LDAP yet, but have been using NIS in our internal > > office network for years. If you use the magic "+" token to merge > > your NIS database with the static files for passwd and group > > information, then > > I'm not using the compat setting, my nsswitch.conf contains > > passwd: files ldap > group: files ldap > > > _if_ the group entry in the static file does not contain any users > > _then_ the information from NIS is merged in > > > > So you can keep a "wheel" group around as the _primary_ group > > for root, toor, whatnot ... and all the additional members > > that have "wheel" as an auxiliary group come from NIS. > > > > Possibly this works for LDAP, too? IMHO at least it should ;-)) > > THANK YOU! It is indeed working for LDAP too. But it fails for sudo(8). > Luckily I could replace the %wheel directive with a few user id > directives. > > It's still a shortcoming of some sort and I guess I'll file a PR if > noone else has any more information on the issue. > > getent group now has the following wheel entries > % getent group|grep wheel > wheel:*:0 > wheel:*:0:us,root > > As I said, su(1) is happy, sudo(8) not yet. > Does the following work for you: passwd: ldap [notfound=return] files group: ldap [notfound=return] files This sets ldap as the authoritative source for users and groups, unless the ldap service is down, then it will use the files for the source (useful when ldap server is down). This will require that you place all of the users/groups into the ldap server. (modified from the nis example in the nsswitch.conf(5) man page) You could also try the following: passwd: ldap files group: ldap [success=continue] files Scot -- DISCLAIMER: No electrons were mamed while sending this message. Only slightly bruised.