search for: pam_group

Hi, I am using pam_group.so to add some additional groups to the users. However, although Samba obeys pam restrictions, it obeys only "session" type of management. pam_group.so, however can be used only with auth. That's why if a user logs in through Samba it won't have a particular group added and so not...

...quot; in /etc/grousp, where user doesn't belong to group "wheel" :( Is here any `standard' solution to this problem? I know about sudo(8), but I affraid, that this inconsistency could bite somewhere else, and in any case, I want su(1) to work :) Is here any reasons why pam_group(8) is inconsistent with id(1) in way to determine ti which groups user belongs? -- // Black Lion AKA Lev Serebryakov <lev@FreeBSD.org>

Mandi! Rowland Penny via samba In chel di` si favelave... >> > For this, i use typically 'pam_group' module, with a simple config >> > like: >> > *; *; *; Al0000-2400; plugdev,fuse,scanner,video,audio,cdrom,floppy >> But, where do you insert this config, please? > This now sounds like a different problem to the subject matter, if > Samba is set up correctly, th...

...To: openssh-bugs at mindrot.org ReportedBy: egmont at uhulinux.hu In openssh-3.7.1p2/auth-pam.c, line 589, where pam_setcred() is called, both real and effective user ID's are already switched to normal user. However, they should be root here. This causes a problem when trying to use pam_group.so module. This module is supposed to grant membership to some additional groups, however, as it fails to do so, it reports an error to sshd and hence sshd refuses the login. /etc/pam.d/ssh is a symlink to system-auth which is used by many utilities on my system, none of them has problem with pam_...

...To: openssh-bugs at mindrot.org ReportedBy: egmont at uhulinux.hu In openssh-3.7.1p2/auth-pam.c, line 589, where pam_setcred() is called, both real and effective user ID's are already switched to normal user. However, they should be root here. This causes a problem when trying to use pam_group.so module. This module is supposed to grant membership to some additional groups, however, as it fails to do so, it reports an error to sshd and hence sshd refuses the login. /etc/pam.d/ssh is a symlink to system-auth which is used by many utilities on my system, none of them has problem with pam_...

Pam auth don't work when I add pam_group: gw# id test2 uid=10001(test2) gid=11111(adusers) groups=11111(adusers), 10000(group1), 10001(group2), 10002(test10) gw# getent passwd test2 test2:*:10001:11111:Our AD-Unix Test Account:/home/test2:/bin/sh gw# cat /etc/pam.d/dovecot auth required pam_group.so group...

...> > Somebody get this problem or can help please? > > > > Probably the access to USB devices (and other things) are granted > > via some local groups, so if you have AD/winbind users, they does > > not have this group. > > > > For this, i use typically 'pam_group' module, with a simple config > > like: > > > > *; *; *; Al0000-2400; plugdev,fuse,scanner,video,audio,cdrom,floppy > > > > Right, ok! > But, where do you insert this config, please? > > For now I disable The Linux Machines on the Office because when I p...

...h was made via the following changeset which doesn't mention a bugID: https://anongit.mindrot.org/openssh.git/commit/platform.c?id=cc12418e18242ce1f61d7035da4956274ba13a96 The comment mentions initgroups(3C) wiping out supplementary groups which only applies in the Linux world if the LinuxPAM pam_group(8) module has been installed and configured which allows one to assign additional secondary groups to a user using /etc/security/group.conf in addition to /etc/group. Note that there is an OpenPAM PAM module of the same name, pam_group(8), which has different functionality, it performs access cont...

Hello, We have some computers from a lab that the operating system is ubuntu and are in the domain. I need the "alunos" group to have permissions in the tty and dialout group, since they need to use some arduinos. I have tried the following: net groupmap add ntgroup=alunos sid=1121 type=domain unixgroup=tty net groupmap add ntgroup=alunos sid=1121 type=domain unixgroup=dialout But

...i! Douglas G. Oechsler via samba In chel di` si favelave... > Somebody get this problem or can help please? Probably the access to USB devices (and other things) are granted via some local groups, so if you have AD/winbind users, they does not have this group. For this, i use typically 'pam_group' module, with a simple config like: *; *; *; Al0000-2400; plugdev,fuse,scanner,video,audio,cdrom,floppy -- Ognuno vada dove vuole andare, ognuno invecchi come gli pare ma non raccontate a me che cos'e` la LIBERTA`. (F. Guccini)

Timo, I finally made the time to backport a pam fix I created for proftpd over to dovecot, that allows FreeBSD's pam_group to work as expected. (the bug was escalated to me internally hehe.. ). I also noticed an issue while testing that will be confusing to users. If the docs stay as is, or the other half of this patch is applied, then when the dovecot.conf contains: passdb pam { args = * } the imap files with...

Hi Apple changed from Linux PAM to OpenPAM and the dovecot pam file (dovecot installed from macports) doesn't work anymore. Installed pam modules are: -r--r--r-- 1 root wheel 76640 31 Jul 09:15 pam_env.so.2 -r--r--r-- 1 root wheel 51024 31 Jul 09:15 pam_group.so.2 -r--r--r-- 1 root wheel 99776 31 Jul 09:15 pam_krb5.so.2 -r--r--r-- 1 root wheel 51552 31 Jul 09:15 pam_launchd.so.2 -r--r--r-- 1 root wheel 68800 31 Jul 09:15 pam_mount.so.2 -r--r--r-- 1 root wheel 50896 31 Jul 09:15 pam_nologin.so.2 -r--r--r-- 1 root wheel 64272...

I was used (in SambaNT/OpenLDAP) to put on CUPS configuration the statement (/etc/cups/cups-files.conf): SystemGroup printops and add to 'printops' group some users that can manage cups. Now i'm in AD mode. I'm in 'printops' group: root at vdmpp1:~# id gaio uid=10000(gaio) gid=10513(domain users) gruppi=10513(domain

Hello. I'm facing a problem, I need to give access to internal mailserer for some people only, but can't figure out how to do it. Opening the 993 port for whole word gives access to everyone who have account. Can Dovecot act as login filter or etc for that purpose. Or does anybody have idea how to do it? -- Sysadmin

...out,cdrom,floppy,lpadmin,plugdev,bluetooth,netdev,pulse-access,users > > Some users also want to be member of local-groups like: libvirt, kvm, > docker, vboxusers > > You can do this with: usermod -a -G <group> <domain-user>, this > mechanism works much better than pam_group (which does not work for > this purpose). It worked for myself: SAMDOM\rowland at rpidc1:~ $ groups domain users dialout cdrom floppy audio video plugdev scanner BUILTIN\administrators BUILTIN\users domain admins denied rodc password replication group rowland testgroup It just didn't help...

...chel di` si favelave... > > > Somebody get this problem or can help please? > > Probably the access to USB devices (and other things) are granted via some > local groups, so if you have AD/winbind users, they does not have this > group. > > For this, i use typically 'pam_group' module, with a simple config like: > > *; *; *; Al0000-2400; plugdev,fuse,scanner,video,audio,cdrom,floppy > > Right, ok! But, where do you insert this config, please? For now I disable The Linux Machines on the Office because when I put them inside Samba AD, the machines sometim...

...dev,bluetooth,netdev,pulse-access,users > > > > Some users also want to be member of local-groups like: libvirt, > > kvm, docker, vboxusers > > > > You can do this with: usermod -a -G <group> <domain-user>, this > > mechanism works much better than pam_group (which does not work for > > this purpose). > > It worked for myself: > > SAMDOM\rowland at rpidc1:~ $ groups > domain users dialout cdrom floppy audio video plugdev scanner > BUILTIN\administrators BUILTIN\users domain admins denied rodc > password replication group ro...

...gt; > > So the short version of above is... > > Give a AD user a UID/GID > > Map BUILTIN\Print Operators with SePrivileges > > Just done. > > > > Add the user to lpadmin on the linux server. > > Seems the only way. > > I've also tried to use pam_group (eg, assign local group to a > user based > on other infos), but also pam_group does not ''populate'' NSS group > data, eg 'getent group lpadmin' return empty, so nothing changed. > > I think this can also be fired up as bugs agains cups... probably cups &gt...

Hello! I joined Linux Mint at Samba AD DC version: 4.18.0. It was working nice but, on the client station the usb ports are "closed". You can connect usb, hd usb and all show messages as: Not permitted. Sorry, I do not remember the right message. After joined we lost usb ports. Somebody get this problem or can help please? Thank you so much -- *Douglas Giovani Oechsler* e-mail:

...the agent or into such a library. the key agent would send notifications when keys exceed their lifetime. in fact, this is a major missing component of PAM. in this context it might even make sense to create meta-entries for kerberos tokens and even unix passwords (with close relation to pam_time/pam_group). end-user/desktop applications (password managers, ssh, gpg, etc.) would use the keys stored in the agent - obviously. a buzz word that comes to mind is x.509 compliance, but i really have no idea what that would include. as far as security goes, i really need some input. possible concerns: - h...