|Summary:||Add netgroup support in pam|
|Product:||Red Hat Enterprise Linux 3||Reporter:||Tom "spot" Callaway <tcallawa>|
|Component:||pam||Assignee:||Tomas Mraz <tmraz>|
|Status:||CLOSED NEXTRELEASE||QA Contact:|
|Fixed In Version:||Doc Type:||Enhancement|
|Doc Text:||Story Points:||---|
|Last Closed:||2005-12-15 11:05:24 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description Tom "spot" Callaway 2005-09-06 19:39:16 UTC
Description of problem: One of my customers is trying to use LDAP netgroups to limit user access to the client. When I had Nalin look into the feasibility of doing this in RHEL, he discovered that none of the modules (including pam_ldap) support access control using netgroups. He also pointed out that it wouldn't be too much work to implement it, and that it would be a good candidate for going in during an update cycle. Specifically, once you have a user name and a host name, and assuming nss_ldap's working, you can call the libc function innetgr() to check for membership.
Comment 2 Johnray Fuller 2005-09-15 20:30:03 UTC
Should netgroup support be added to pam_listfile as well or other modules besides pam_ldap? This way netgroup authentication can be more broadly deployed (e.g. NIS, NIS+, etc). J
Comment 3 Tomas Mraz 2005-09-16 09:39:11 UTC
There is some netgroup support in pam_access (matches @netgroup) however I don't know if it's sufficient or even working. There is also yp_get_default_domain() call and the domain obtained is always passed as the domain parameter to the innetgr function.
Comment 4 Nalin Dahyabhai 2005-09-16 13:36:54 UTC
Oddly enough we have a different customer who is attempting to use pam_access to enforce a requirement on membership in a netgroup, and they're running afoul of pam_access's assumption that there should be a controlling terminal. Something like pam_listfile or pam_succeed_if would work much better for them, but neither currently supports netgroups. One thing to keep in mind about glibc is that netgroups in general aren't tied to NIS, so yp_get_default_domain() can fail even when netgroups are available, for example in /etc/netgroup. What value is appropriate for the "domain" in this case is open to question, but the matching works even if you're using local files.
Comment 5 Tomas Mraz 2005-09-16 13:49:12 UTC
I know about this problem with no controlling tty and pam_access and I've already proposed a patch for it - see bug 168276. The yp_get_default_domain() failure doesn't break the netgroup match since domain is set to NULL then and this is wildcard matching any domain in the innetgr() function.
Comment 8 Tomas Mraz 2005-10-11 22:57:11 UTC
Tom, what are the exact requirements for netgroup matching they have? The pam_access module can call innetgr for both user and host name but it is called separately. So if you configure it for user name it is called with hostname as a wildcard (innetgr(group, 0, user, domain) and vice versa (innetgr(group, host, 0, domain)). So the question is - would be the current support in pam_access sufficient? And if not which module would be the best to add the support in (pam_succeed_if?).
Comment 11 Tomas Mraz 2005-12-15 11:05:24 UTC
There is already support in pam_access which should be good enough. In RHEL 4 U3 netgroups will be supported also in pam_succeed_if module.