Bug 167669
Summary: | Add netgroup support in pam | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 3 | Reporter: | Tom "spot" Callaway <tcallawa> |
Component: | pam | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED NEXTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.0 | CC: | nalin, tmraz |
Target Milestone: | --- | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | None | ||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-12-15 11:05:24 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 170445 |
Description
Tom "spot" Callaway
2005-09-06 19:39:16 UTC
Should netgroup support be added to pam_listfile as well or other modules besides pam_ldap? This way netgroup authentication can be more broadly deployed (e.g. NIS, NIS+, etc). J There is some netgroup support in pam_access (matches @netgroup) however I don't know if it's sufficient or even working. There is also yp_get_default_domain() call and the domain obtained is always passed as the domain parameter to the innetgr function. Oddly enough we have a different customer who is attempting to use pam_access to enforce a requirement on membership in a netgroup, and they're running afoul of pam_access's assumption that there should be a controlling terminal. Something like pam_listfile or pam_succeed_if would work much better for them, but neither currently supports netgroups. One thing to keep in mind about glibc is that netgroups in general aren't tied to NIS, so yp_get_default_domain() can fail even when netgroups are available, for example in /etc/netgroup. What value is appropriate for the "domain" in this case is open to question, but the matching works even if you're using local files. I know about this problem with no controlling tty and pam_access and I've already proposed a patch for it - see bug 168276. The yp_get_default_domain() failure doesn't break the netgroup match since domain is set to NULL then and this is wildcard matching any domain in the innetgr() function. Tom, what are the exact requirements for netgroup matching they have? The pam_access module can call innetgr for both user and host name but it is called separately. So if you configure it for user name it is called with hostname as a wildcard (innetgr(group, 0, user, domain) and vice versa (innetgr(group, host, 0, domain)). So the question is - would be the current support in pam_access sufficient? And if not which module would be the best to add the support in (pam_succeed_if?). There is already support in pam_access which should be good enough. In RHEL 4 U3 netgroups will be supported also in pam_succeed_if module. |