Fedora directory users - Jan 2006 - Nis Netgroups and access.conf not quite working as advertised.

I''ve been trying to setup and test using Nis Netgroups as a means of
access control, and have run into some difficulties.  I have two client
systems (ldap01, ldap02) setup to authenticate against an ldap database.
Pam_Ldap and everything are setup and functioning as they should with
respect to allowing users queried from the ldap database to login.  Here
are the relevant details.

(I''m using this, btw
http://directory.fedora.redhat.com/wiki/Howto:Netgroups )

[root@ldap02 security]# hostname
ldap02.inside.exampledomain.com

[root@ldap02 ~]# host ldap02.inside.exampledomain.com
ldap02.inside.theplanet.com has address 10.5.1.17

[root@ldap02 ~]# host 10.5.1.17
17.1.5.10.in-addr.arpa domain name pointer ldap02.inside.exampledomain.com

[root@ldap02 security]# getent netgroup unixisusers
unixisusers           ( , mmontgomery, )

[root@ldap02 security]# getent netgroup unixissystems
unixissystems         (ldap01, , inside.exampledomain.com) (ldap02, ,
inside.exampledomain.com)

[root@ldap02 security]# id mmontgomery
uid=1000(mmontgomery) gid=10000(UnixIS) groups=10000(UnixIS)

[root@ldap02 security]# tail access.conf  | grep -v ''#''
+ : root : LOCAL
+ : mmont : ALL
+ : @unixisusers@@unixissystems : ALL
- : ALL : ALL

[root@ldap02 pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     required      /lib/security/$ISA/pam_access.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     required      /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel
umask=077
session     optional      /lib/security/$ISA/pam_ldap.so

When trying to login remotely, I get this:

/var/log/messages:
Jan  9 16:17:19 ldap02 pam_access[1552]: access denied for user
`mmontgomery'' from `202.10-5-1.inside.exampledomain.com''

Adding this to access.conf, makes it work though:

+ : @unixisusers : ALL

Does anyone have any ideas what I''m overlooking here?  

Thanks

Try a couple of things..

change the triple
(ldap02,,inside.exampledomain.com)

to read

(ldap02,,)

If that works, try changing it to read:

(ldap02,,exampledomain.com)

If that works, then NIS netgroups may not be able to work with subdomains.

Dan-

Michael Montgomery wrote:
>I''ve been trying to setup and test using Nis Netgroups as a means
of
>access control, and have run into some difficulties.  I have two client
>systems (ldap01, ldap02) setup to authenticate against an ldap database.
>Pam_Ldap and everything are setup and functioning as they should with
>respect to allowing users queried from the ldap database to login.  Here
>are the relevant details.
>
>(I''m using this, btw
>http://directory.fedora.redhat.com/wiki/Howto:Netgroups )
>
>[root@ldap02 security]# hostname
>ldap02.inside.exampledomain.com
>
>[root@ldap02 ~]# host ldap02.inside.exampledomain.com
>ldap02.inside.theplanet.com has address 10.5.1.17
>
>[root@ldap02 ~]# host 10.5.1.17
>17.1.5.10.in-addr.arpa domain name pointer ldap02.inside.exampledomain.com
>
>[root@ldap02 security]# getent netgroup unixisusers
>unixisusers           ( , mmontgomery, )
>
>[root@ldap02 security]# getent netgroup unixissystems
>unixissystems         (ldap01, , inside.exampledomain.com) (ldap02, ,
inside.exampledomain.com)
>
>[root@ldap02 security]# id mmontgomery
>uid=1000(mmontgomery) gid=10000(UnixIS) groups=10000(UnixIS)
>
>[root@ldap02 security]# tail access.conf  | grep -v ''#''
>+ : root : LOCAL
>+ : mmont : ALL
>+ : @unixisusers@@unixissystems : ALL
>- : ALL : ALL
>
>[root@ldap02 pam.d]# cat system-auth
>#%PAM-1.0
># This file is auto-generated.
># User changes will be destroyed the next time authconfig is run.
>auth        required      /lib/security/$ISA/pam_env.so
>auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
>auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
>auth        required      /lib/security/$ISA/pam_deny.so
>
>account     required      /lib/security/$ISA/pam_unix.so
>account     required      /lib/security/$ISA/pam_access.so
>account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
>account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_ldap.so
>account     required      /lib/security/$ISA/pam_permit.so
>
>password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
>password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
>password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
>password    required      /lib/security/$ISA/pam_deny.so
>
>session     required      /lib/security/$ISA/pam_limits.so
>session     required      /lib/security/$ISA/pam_unix.so
>session     required      /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel
umask=077
>session     optional      /lib/security/$ISA/pam_ldap.so
>
>When trying to login remotely, I get this:
>
>/var/log/messages:
>Jan  9 16:17:19 ldap02 pam_access[1552]: access denied for user
`mmontgomery'' from `202.10-5-1.inside.exampledomain.com''
>
>Adding this to access.conf, makes it work though:
>
>+ : @unixisusers : ALL
>
>Does anyone have any ideas what I''m overlooking here?  
>
>Thanks
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

Unfortunately, none of these worked.  Is there any way to debug this to
verify that it''s definitely a subdomain issue, and not something else?

Thanks for your help so far.

On Tue, 2006-01-10 at 20:18 -0600, Dan Cox wrote:
> Try a couple of things..
> 
> change the triple
> (ldap02,,inside.exampledomain.com)
> 
> to read
> 
> (ldap02,,)
> 
> If that works, try changing it to read:
> 
> (ldap02,,exampledomain.com)
> 
> If that works, then NIS netgroups may not be able to work with subdomains.

If anybody is curious how to get subdomains working, you can
''trick''
this to work by defining the triple this way:

(ldap02.inside, , exampledomain.com)

instead of this:

(ldap02, , inside.exampledomain.com)

This appears to allow this to work.

Hope this helps.

Thanks!  I''ve updated 
http://directory.fedora.redhat.com/wiki/Howto:Netgroups

Michael Montgomery wrote:
>If anybody is curious how to get subdomains working, you can
''trick''
>this to work by defining the triple this way:
>
>(ldap02.inside, , exampledomain.com)
>
>instead of this:
>
>(ldap02, , inside.exampledomain.com)
>
>This appears to allow this to work.
>
>Hope this helps.
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

Hi, all, a quick question.

I ran mmr.pl (http://www.netauth.com/~jacksonm/ldap/mmr.pl), it worked fine. 
However, when I
bring up the console now and click on the replication agreement to see the
details, it''s saying
that uid=admin is denied access and no password works to get in.  I must be
missing an ACI
somewhere, can anybody point me in the right direction?

Thank you.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com