When using pam_listfile to restrict logins based on group membership on a system connected either to LDAP or AD via winbind, there are large delays while group membership checks are done due to inefficiences in how pam_listfile determined group membership. See this[1] thread for discussion. This patch[2] appears to address the issue but would need to be backported to PAM in RHEL5. This issue is occurring with pam-0.99.6.2-6.el5. The "workaround" is to disable enumeration of groups in the smb.conf file, however this isn't an ideal solution. An SRPM with the patch applied can be found here[3]. I have tested this patched version on our production servers and can confirm that pam_listfile now works extremely quickly when using group restrictions. [1] http://www.redhat.com/archives/pam-list/2009-September/msg00001.html [2] http://tinyurl.com/y9beq49 [3] http://fedorapeople.org/~rayvd/pam/pam-0.99.6.2-6.el5.esri1.src.rpm
Created attachment 380866 [details] Upstream's patch to use pam_modutil_user_in_group_nam_nam().
Opened RH SR #1982110 for this issue.
*** Bug 548410 has been marked as a duplicate of this bug. ***
*** Bug 574574 has been marked as a duplicate of this bug. ***
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
This seems like a trivial change. Will bump this again with support (Case #00335957).
This request was erroneously denied for the current release of Red Hat Enterprise Linux. The error has been fixed and this request has been re-proposed for the current release.
For those watching this bug, got an update from RH Support that the fix should be included in RHEL 5.9.
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. This request will be considered in a future release of Red Hat Enterprise Linux.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: The pam_listfile module was searching through all group entries using the getgrent() call when looking for group matches. Due to this inefficient implementation it was very slow on systems where large number of groups are stored on a central identity server such as LDAP. The module now uses more efficient implementation that does not require look up through all groups on the system. The module is now much faster when doing group matches.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0032.html