NIS + su issues
(x-posted from linuxsupport, because a lot of the helpful folks here don't seem to read it and I've gotten no responses)
Okay, on my machines with a local /etc/group, su works fine (it's the classical "only members of wheel are allowed to su" type system). On my machines that are part of the NIS domain, it doesn't work. I get an "su: Permission denied". If I add the user who wants to su to the machine's local /etc/group, it works just fine. However, this does not represent an ideal solution, since I'd have to do this on all NIS clients, which is a pain (okay, not really, but it's still inelegant). If I comment out the pam_wheel line in /etc/pam.d/su, it works, but this is not ideal since I don't want everyone to be able to su. So, it's somehow related to pam dealing with the nis group list properly. On both systems (before I added it to the local /etc/group, of course), id reports the same thing:
uid=1000(matt) gid=1000 groups=10(wheel),18(audio),35(games),80(c
Ideas?
Followup I finally resolved this by adding an niswheel group on the nis server. The user list of niswheel is the same as wheel. Then, I changed the pam_wheel line in /etc/init.d/su to be:
auth required /lib/security/pam_wheel.so group=niswheel use_uid
This gave me the functionality that I wanted.
important bits of /etc/nsswitch.conf
passwd: files nis
shadow: files nis
group: files nis
/etc/pam.d/su
#%PAM-1.0
auth sufficient /lib/security/pam_rootok.so
# If you want to restrict users begin allowed to su even more,
# create /etc/security/suauth.allow (or to that matter) that is only
# writable by root, and add users that are allowed to su to that
# file, one per line.
#auth required /lib/security/pam_listfile.so item=ruser sense=allow on
err=fail file=/etc/security/suauth.allow
# Uncomment this to allow users in the wheel group to su without
# entering a passwd.
#auth sufficient /lib/security/pam_wheel.so use_uid trust
# Alternatively to above, you can implement a list of users that do
# not need to supply a passwd with a list.
#auth sufficient /lib/security/pam_listfile.so item=ruser sense=allow on
err=fail file=/etc/security/suauth.nopass
# Comment this to allow any user, even those not in the 'wheel'
# group to su
auth required /lib/security/pam_wheel.so use_uid
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_xauth.so
Okay, on my machines with a local /etc/group, su works fine (it's the classical "only members of wheel are allowed to su" type system). On my machines that are part of the NIS domain, it doesn't work. I get an "su: Permission denied". If I add the user who wants to su to the machine's local /etc/group, it works just fine. However, this does not represent an ideal solution, since I'd have to do this on all NIS clients, which is a pain (okay, not really, but it's still inelegant). If I comment out the pam_wheel line in /etc/pam.d/su, it works, but this is not ideal since I don't want everyone to be able to su. So, it's somehow related to pam dealing with the nis group list properly. On both systems (before I added it to the local /etc/group, of course), id reports the same thing:
uid=1000(matt) gid=1000 groups=10(wheel),18(audio),35(games),80(c
Ideas?
Followup I finally resolved this by adding an niswheel group on the nis server. The user list of niswheel is the same as wheel. Then, I changed the pam_wheel line in /etc/init.d/su to be:
auth required /lib/security/pam_wheel.so group=niswheel use_uid
This gave me the functionality that I wanted.
important bits of /etc/nsswitch.conf
passwd: files nis
shadow: files nis
group: files nis
/etc/pam.d/su
#%PAM-1.0
auth sufficient /lib/security/pam_rootok.so
# If you want to restrict users begin allowed to su even more,
# create /etc/security/suauth.allow (or to that matter) that is only
# writable by root, and add users that are allowed to su to that
# file, one per line.
#auth required /lib/security/pam_listfile.so item=ruser sense=allow on
err=fail file=/etc/security/suauth.allow
# Uncomment this to allow users in the wheel group to su without
# entering a passwd.
#auth sufficient /lib/security/pam_wheel.so use_uid trust
# Alternatively to above, you can implement a list of users that do
# not need to supply a passwd with a list.
#auth sufficient /lib/security/pam_listfile.so item=ruser sense=allow on
err=fail file=/etc/security/suauth.nopass
# Comment this to allow any user, even those not in the 'wheel'
# group to su
auth required /lib/security/pam_wheel.so use_uid
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_xauth.so
