Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 22 Aug 2007 19:22:12 +0200
From:      Ulrich Spoerlein <uspoerlein@gmail.com>
To:        "Patrick M. Hausen" <hausen@punkt.de>
Cc:        freebsd-stable@freebsd.org, Richard Foulkes <rbsfou@yahoo.co.uk>
Subject:   Re: pam_group vs. multiple group lines
Message-ID:  <20070822172212.GB1426@roadrunner.spoerlein.net>
In-Reply-To: <20070822082840.GB74165@hugo10.ka.punkt.de>
References:  <20070821195043.GA1464@roadrunner.spoerlein.net> <A77859AB-FF17-4FBA-8B2C-462B129D84A3@mac.com> <64A1102C-0697-4C4D-AF3B-B1F2ED224792@yahoo.co.uk> <1D83A750-03FD-49EF-B99D-BA9B7F7E7BD0@mac.com> <7ad7ddd90708220053k147f4c5cq87430a4ee897180d@mail.gmail.com> <20070822082840.GB74165@hugo10.ka.punkt.de>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 22.08.2007 at 10:28:40 +0200, Patrick M. Hausen wrote:
> On Wed, Aug 22, 2007 at 09:53:42AM +0200, Ulrich Spoerlein wrote:
> > On 8/22/07, Chuck Swiger <cswiger@mac.com> wrote:
> > > On Aug 21, 2007, at 2:02 PM, Richard Foulkes wrote:
> > > > Ok, so how are you supposed to control membership of the wheel
> > > > group via ldap? Ok, you COULD remove the local wheel entry in /etc/
> > > > group, but this would probably be a bad idea if the ldap server
> > > > were unavailable.
> > >
> > > You've aptly summarized my thoughts on the matter-- I would not rely
> > > on LDAP to provide information about root or the wheel group.
> > 
> > That is exactly the gist of my question. Of course I know that a group
> > oneliner is the way to go. However, I saw people suggest splitting
> > groups into multiple lines, if the lines are too long or too many
> > groups per line (something to do with the /etc/group parser, I guess).
> > 
> > Anyway, I want the LDAP groups to *augment* system groups. Removing
> > wheel from /etc/group and relying on a complex network service ....
> > not funny.
> 
> We do not use LDAP yet, but have been using NIS in our internal
> office network for years. If you use the magic "+" token to merge
> your NIS database with the static files for passwd and group
> information, then

I'm not using the compat setting, my nsswitch.conf contains

passwd: files ldap
group: files ldap

> _if_ the group entry in the static file does not contain any users
> _then_ the information from NIS is merged in
> 
> So you can keep a "wheel" group around as the _primary_ group
> for root, toor, whatnot ... and all the additional members
> that have "wheel" as an auxiliary group come from NIS.
> 
> Possibly this works for LDAP, too? IMHO at least it should ;-))

THANK YOU! It is indeed working for LDAP too. But it fails for sudo(8).
Luckily I could replace the %wheel directive with a few user id
directives.

It's still a shortcoming of some sort and I guess I'll file a PR if
noone else has any more information on the issue.

getent group now has the following wheel entries
% getent group|grep wheel
wheel:*:0
wheel:*:0:us,root

As I said, su(1) is happy, sudo(8) not yet.

Cheers,
Ulrich Spoerlein
-- 
It is better to remain silent and be thought a fool,
than to speak, and remove all doubt.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070822172212.GB1426>