Bug 291491

Summary: pam su component not allowing groups with "spaces" for samba/winbind (pam_wheel.so)
Product: Red Hat Enterprise Linux 4 Reporter: Daniel Northam <dnortham>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: medium    
Version: 4.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-17 09:24:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
pam su config none

Description Daniel Northam 2007-09-14 19:05:17 UTC 
Description of problem:

unable to use Active Directory Groups with spaces in the group name for
pam_wheel.so module.


Version-Release number of selected component (if applicable):

pam-0.77-66.21


How reproducible:

1. Join RHEL server to Active Directory Domain
2. edit /etc/pam.d/su  with:
       auth       required     pam_wheel.so debug trust group=Domain Admins
                          OR
       auth       required     pam_wheel.so debug trust group="Domain Admins"



  
Actual results:

no members in 'Domain' group
pam_parse: unknown option; Admins
        or
no members in '"Domain' group
pam_parse: unknown option; Admins"


Expected results:


Additional info:

I am able to use Active directory groups in /etc/pam.d/sshd
auth       required     pam_succeed_if.so quiet user ingroup "Systems Group"

and I even tried adding this line to /etc/pam.d/su but no such luck.


Thank you, for looking at this. If there is another method please let me know.
also I have tried using '\' in the group name (e.g Domain\ Admins) but no such luck.
Comment 1 Daniel Northam 2007-09-14 19:05:17 UTC 
Created attachment 196111 [details]
pam su config
Comment 2 Tomas Mraz 2007-09-17 09:24:16 UTC 
Use this syntax:

auth       required     pam_wheel.so debug trust [group=Domain Admins]
Comment 3 Daniel Northam 2007-09-17 16:17:35 UTC 
hmmm, doesn't work; but is atleast giving me a diffrent error:

Access denied to 'useraccount' for 'root'

but it does work if I change the group to a local group. 


**********/etc/pam.d/su*****************
#%PAM-1.0
auth       sufficient   pam_rootok.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_wheel.so debug trust [group=Domain Admins]
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
# pam_selinux.so close must be first session rule
session    required     pam_selinux.so close
session    required     pam_stack.so service=system-auth
# pam_selinux.so open and pam_xauth must be last two session rules
session    required     pam_selinux.so open
session    optional     pam_xauth.so
Comment 4 Tomas Mraz 2007-09-17 16:49:46 UTC 
What getent group 'Domain Admins' prints? Does the group entry contain the
useraccount?