From owner-freebsd-questions@FreeBSD.ORG Thu Dec 11 17:00:20 2008 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2F95106578F for ; Thu, 11 Dec 2008 17:00:20 +0000 (UTC) (envelope-from danm@prime.gushi.org) Received: from prime.gushi.org (prime.gushi.org [72.9.101.130]) by mx1.freebsd.org (Postfix) with ESMTP id 6741F8FC14 for ; Thu, 11 Dec 2008 17:00:20 +0000 (UTC) (envelope-from danm@prime.gushi.org) Received: from prime.gushi.org (localhost [127.0.0.1]) by prime.gushi.org (8.14.1/8.14.1) with ESMTP id mBBH0FDl037934 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 11 Dec 2008 12:00:16 -0500 (EST) (envelope-from danm@prime.gushi.org) X-DKIM: Sendmail DKIM Filter v2.7.2 prime.gushi.org mBBH0FDl037934 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=prime.gushi.org; s=primegushiorg; t=1228998284; bh=xYH6DaBpgIpo9O4ME5Wi4y2nvMJbRKcOY 4KuzhY4yWc=; h=Date:From:To:cc:Message-ID:MIME-Version:Content-Type; b=Y5Pid17yMOSwUQ73u+uJwLJx0gP9kIWRwl6PZXe4FB/ZAoVcHCoRH77lYbzT1URK2 norDlnGB1JXnOkwZ31MTg== X-DomainKeys: Sendmail DomainKeys Filter v1.0.0 prime.gushi.org mBBH0FDl037934 DomainKey-Signature: a=rsa-sha1; s=primegushiorg; d=prime.gushi.org; c=nofws; q=dns; h=received:date:from:to:cc:message-id:user-agent: x-openpgp-key-id:mime-version:content-type; b=MVJf0x2Xj9Zwc2RXwN0e2j16Oqe7sNAvxz/GEBFGiJJvJa75h2ZM95M5vBsRVhMsM fnhLcxwSzXurVuIJlHb1g== Received: (from danm@localhost) by prime.gushi.org (8.14.1/8.14.1/Submit) id mBBH04xx037883; Thu, 11 Dec 2008 12:00:04 -0500 (EST) (envelope-from danm) Date: Thu, 11 Dec 2008 12:00:04 -0500 (EST) From: "Dan Mahoney, System Admin" To: questions@freebsd.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-OpenPGP-Key-ID: 0x624BB249 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (prime.gushi.org [127.0.0.1]); Thu, 11 Dec 2008 12:24:44 +0000 (UTC) Cc: hackers@freebsd.org Subject: (no subject) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Dec 2008 17:00:20 -0000 Okay, new problem with regard to netgroups, NIS, and Pam: Given the following situation: * I want to be able to have su work normally in the event of an NIS disconnect, since I will likely need to su to fix said disconnect. * The wheel group needs to stay local * I want su to still use group ownership as a check I recently could not get an admin account (defined in NIS) to su to root. Even though "groups username" showed he was in wheel (and the wheel group has been propagated into NIS), pam_group and pw groupshow show him as not.) This is probably because the local wheel group overrode the NIS wheel group. (I'm not that thrilled by having the wheel group in NIS anyway). Since pam_group is "requisite", there's no easy way to call it multiple times, and no easy pam syntax to say "one of these two must pass". Required won't help, Otherwise I'd simply define an extra group, call it NISwheel or something, and configure access accordingly. What I instead would propose is for pam_group to take an optional argument list instead of a single group (or possibly, multiple group= requirements). Doing something with pam_exec is an option here as well, but I feel this functionality should be fairly elementary to add, moving forward. -Dan -- "You're a daddy. I'm a mommy. She's our baby. Deal with it." -Cali, 11/7/02, about 1:35 AM --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------