Bug 291491 - pam su component not allowing groups with "spaces" for samba/winbind (pam_wheel.so)
pam su component not allowing groups with "spaces" for samba/winbind (pam_whe...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam (Show other bugs)
4.0
All Linux
medium Severity low
: ---
: ---
Assigned To: Tomas Mraz
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-14 15:05 EDT by Daniel Northam
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-17 05:24:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
pam su config (311 bytes, text/plain)
2007-09-14 15:05 EDT, Daniel Northam
no flags Details

  None (edit)
Description Daniel Northam 2007-09-14 15:05:17 EDT
Description of problem:

unable to use Active Directory Groups with spaces in the group name for
pam_wheel.so module.


Version-Release number of selected component (if applicable):

pam-0.77-66.21


How reproducible:

1. Join RHEL server to Active Directory Domain
2. edit /etc/pam.d/su  with:
       auth       required     pam_wheel.so debug trust group=Domain Admins
                          OR
       auth       required     pam_wheel.so debug trust group="Domain Admins"



  
Actual results:

no members in 'Domain' group
pam_parse: unknown option; Admins
        or
no members in '"Domain' group
pam_parse: unknown option; Admins"


Expected results:


Additional info:

I am able to use Active directory groups in /etc/pam.d/sshd
auth       required     pam_succeed_if.so quiet user ingroup "Systems Group"

and I even tried adding this line to /etc/pam.d/su but no such luck.


Thank you, for looking at this. If there is another method please let me know.
also I have tried using '\' in the group name (e.g Domain\ Admins) but no such luck.
Comment 1 Daniel Northam 2007-09-14 15:05:17 EDT
Created attachment 196111 [details]
pam su config
Comment 2 Tomas Mraz 2007-09-17 05:24:16 EDT
Use this syntax:

auth       required     pam_wheel.so debug trust [group=Domain Admins]
Comment 3 Daniel Northam 2007-09-17 12:17:35 EDT
hmmm, doesn't work; but is atleast giving me a diffrent error:

Access denied to 'useraccount' for 'root'

but it does work if I change the group to a local group. 


**********/etc/pam.d/su*****************
#%PAM-1.0
auth       sufficient   pam_rootok.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_wheel.so debug trust [group=Domain Admins]
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
# pam_selinux.so close must be first session rule
session    required     pam_selinux.so close
session    required     pam_stack.so service=system-auth
# pam_selinux.so open and pam_xauth must be last two session rules
session    required     pam_selinux.so open
session    optional     pam_xauth.so
Comment 4 Tomas Mraz 2007-09-17 12:49:46 EDT
What getent group 'Domain Admins' prints? Does the group entry contain the
useraccount?

Note You need to log in before you can comment on or make changes to this bug.