pam_ldap and nss_ldap : checken and egg problem with "wheel" group and "su" utility

[Lev Serebryakov]

Hello, Freebsd-security.

I have chicken-adn-egg problem with wheel group and su utility when
all users but root are stored in LDAP.

wheel group should be in /etc/group to allow basic system services
to start before LDAP is available.

But when "wheel" is in /etc/group with only "root" member (as all
other members are in LDAP), system never takes "wheel" members from
LDAP (because /etc/group has priority) and "su" doesn't work!

What is proper way to resolve this problem?

--
// Black Lion AKA Lev Serebryakov <l...@FreeBSD.org>

_______________________________________________
freebsd-...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-securi...@freebsd.org"

[Dag-Erling Smørgrav]

Lev Serebryakov <l...@FreeBSD.org> writes:
> But when "wheel" is in /etc/group with only "root" member (as all
> other members are in LDAP), system never takes "wheel" members from
> LDAP (because /etc/group has priority) and "su" doesn't work!

Did you try changing the priority in /etc/nsswitch.conf?

DES
--
Dag-Erling Smørgrav - d...@des.no

[Lev Serebryakov]

Hello, Dag-Erling.

You wrote 22 сентября 2011 г., 19:21:27:

> Lev Serebryakov <l...@FreeBSD.org> writes:
>> But when "wheel" is in /etc/group with only "root" member (as all
>> other members are in LDAP), system never takes "wheel" members from
>> LDAP (because /etc/group has priority) and "su" doesn't work!
> Did you try changing the priority in /etc/nsswitch.conf?

It gives very long boot time, as nss_ldap waits for answer from
non-started server, again and again, etc.

--
// Black Lion AKA Lev Serebryakov <l...@serebryakov.spb.ru>

[Dag-Erling Smørgrav]

Lev Serebryakov <l...@FreeBSD.org> writes:

> Dag-Erling <d...@des.no> writes:
> > Did you try changing the priority in /etc/nsswitch.conf?
> It gives very long boot time, as nss_ldap waits for answer from
> non-started server, again and again, etc.

The only solution I can think of is to try to figure out how to reduce
or eliminate this delay, because the system is doing exactly what you
asked it to, i.e. treating /etc/group as authoritative and using LDAP
only for groups it can't find there.

DES
--
Dag-Erling Smørgrav - d...@des.no

[Rene de Vries]

Why not have /etc/group be authoritive for wheel (an thus have a list
of local superusers).
And use sudo with an ldap based group for everything else.

René

On Sat, 24 Sep 2011 14:03:32 +0200, Dag-Erling Smørgrav wrote:
> Lev Serebryakov <l...@FreeBSD.org> writes:
>> Dag-Erling <d...@des.no> writes:
>> > Did you try changing the priority in /etc/nsswitch.conf?
>> It gives very long boot time, as nss_ldap waits for answer from
>> non-started server, again and again, etc.
>
> The only solution I can think of is to try to figure out how to
> reduce
> or eliminate this delay, because the system is doing exactly what you
> asked it to, i.e. treating /etc/group as authoritative and using LDAP
> only for groups it can't find there.
>
> DES

--
René de Vries
re...@canyon.xs4all.nl

[Lev Serebryakov]

Hello, Rene.

You wrote 26 сентября 2011 г., 15:07:09:

> Why not have /etc/group be authoritive for wheel (an thus have a list
> of local superusers).

Idea is to have no local users (but root) at all :)

--
// Black Lion AKA Lev Serebryakov <l...@FreeBSD.org>

[Ruben de Groot]

On Mon, Sep 26, 2011 at 07:44:32PM +0400, Lev Serebryakov typed:
> Hello, Rene.

> You wrote 26 ???????????????? 2011 ??., 15:07:09:
>
> > Why not have /etc/group be authoritive for wheel (an thus have a list
> > of local superusers).
> Idea is to have no local users (but root) at all :)

How about creating an ldap group 'su-users' and changing /etc/pam.d/su
to have the line:

auth requisite pam_group.so no_warn group=su-users root_only fail_safe

[Chao Shin]

> Hello, Freebsd-security.
>
> I have chicken-adn-egg problem with wheel group and su utility when
> all users but root are stored in LDAP.
>
> wheel group should be in /etc/group to allow basic system services
> to start before LDAP is available.
>
> But when "wheel" is in /etc/group with only "root" member (as all
> other members are in LDAP), system never takes "wheel" members from
> LDAP (because /etc/group has priority) and "su" doesn't work!
>
> What is proper way to resolve this problem?
>

I don't have system to test this now, but you can try below config in your
nsswitch.conf


group: files [success=return notfound=continue] ldap
passwd: files [success=return notfound=continue] ldap

I didn't meet this problem in my last company's environment

--
The Power to Serve

[Dag-Erling Smørgrav]

"Chao Shin" <quak...@geekcn.org> writes:

> "Lev Serebryakov" <l...@freebsd.org> writes:
> > But when "wheel" is in /etc/group with only "root" member (as all
> > other members are in LDAP), system never takes "wheel" members from
> > LDAP (because /etc/group has priority) and "su" doesn't work!

> I don't have system to test this now, but you can try below config in your
> nsswitch.conf
>
> group: files [success=return notfound=continue] ldap
> passwd: files [success=return notfound=continue] ldap

That won't make any difference, because "files" *will* succeed, since
there is a wheel entry in /etc/group.

(actually, I believe [success=return notfound=continue] is the default
behavior)

DES
--
Dag-Erling Smørgrav - d...@des.no