Hi, all, I just upgraded an older system from 8.4 to 10.2 in a single go. No unexpected problems, until I tried to use "su": $ su - su: Sorry Well, I *am* a member of the wheel group: $ id uid=10093(ry93) gid=10001(intern) groups=10001(intern),0(wheel),10002(entwickler) Hmmm ... we pull all this information from LDAP. My nsswitch.conf has always been: group: files cache ldap passwd: files cache ldap Without the "compat" entries. Let's check the groups: $ pw group show -a wheel:*:0: wheel:*:0:ry22,ry96,ry90,ry93 Before the update the members were merged. The first line is coming from /etc/group, the second from LDAP. I do have to remove the "root" member in /etc/group from wheel on all systems for LDAP information to be merged in, even on the older systems. But for some reason that seems not to be sufficient, anymore. If I put myself (ry93) in the file, everything works as expected. Another way I tried was this for nsswitch.conf: group: compat group_compat: cache ldap and then the traditional "+:*:0:" entry in /etc/group. The outcome of "id" and "su -" is precisely the same as above. I am shown to be a member of group wheel, yet su won't let me. Any ideas? Thanks, Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 info at punkt.de http://www.punkt.de Gf: J?rgen Egeling AG Mannheim 108285
Patrick M. Hausen
2015-Nov-23 16:09 UTC
PAM changes? (was: Re: NSS changes in releng/10.2?)
Hi, all, sorry for not trying this earlier and now replying to myself, but I'm slowly making progress isolating the problem.> Am 23.11.2015 um 15:42 schrieb Patrick M. Hausen <hausen at punkt.de>: > > Hi, all, > > I just upgraded an older system from 8.4 to 10.2 in a single go. > No unexpected problems, until I tried to use "su": > > $ su - > su: Sorry > > Well, I *am* a member of the wheel group: > > $ id > uid=10093(ry93) gid=10001(intern) groups=10001(intern),0(wheel),10002(entwickler) > > Hmmm ... we pull all this information from LDAP. My nsswitch.conf has always been: > > group: files cache ldap > passwd: files cache ldapAnd this part seems to be just as valid and working as before. I had the implicit assumption that su(1) was using something like getgroups() to determine if I am a member of "wheel" - which it doesn't. I even hacked up 5 lines of C to quickly get my supplementary group list and lo and behold: $ ./groups 10002 0 10001 So, it is not NSS' or LDAP's fault. I just looked at the source for su(1) and it looks like it uses PAM to check if I am authorized to su to root: retcode = pam_authenticate(pamh, 0); if (retcode != PAM_SUCCESS) { syslog(LOG_AUTH|LOG_WARNING, "BAD SU %s to %s on %s", username, user, mytty); errx(1, "Sorry"); My /etc/pam.d/system looks like this: ----------- system ----------- # # $FreeBSD: releng/10.2/etc/pam.d/system 197769 2009-10-05 09:28:54Z des $ # # System-wide defaults # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account #account required pam_krb5.so account required pam_login_access.so account required /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account required pam_unix.so # session #session optional pam_ssh.so want_agent session required pam_lastlog.so no_fail # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass ---------------------- And /etc/pam.d/su like this: ----------- su ----------- # # $FreeBSD: releng/10.2/etc/pam.d/su 219663 2011-03-15 10:13:35Z des $ # # PAM configuration for the "su" service # # auth auth sufficient pam_rootok.so no_warn auth sufficient pam_self.so no_warn auth requisite pam_group.so no_warn group=wheel root_only fail_safe ruser auth include system # account account include system # session session required pam_permit.so ---------------------- Any changes that I missed on the way from 8.4 to 10.2? Unfortunately I do not have an older 10.x system that runs with an Active Directory connection. Only 8.4 ones - this one was the first to finally get updated to a current FreeBSD version. As I stated this PAM configuration works as intended on 8.4. I generated the 10.2 files above by running mergemaster. Thanks, Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 info at punkt.de http://www.punkt.de Gf: J?rgen Egeling AG Mannheim 108285