On Mar 12, 2009, at 7:08 PM, Cody Herriges wrote: > We here have several different update versions on Solaris 10 > installed through out our infrastructure that range from Update 2 to > Update 5. We use 'passwd: compat' and 'passwd_compat: ldap' with > '+@somenetgroup' in our passwd and shadow files to control access to > these systems. I have been trying to develop an Update 6 load, > primarily for the newer ZFS version to be used on a new x4540 and > have ran into a snag. With the same configuration files we have > been using on our other loads, pam.conf, nsswitch.conf, and > ldap_client_file, or any variation I have attempted, compat mode > will not longer function properly with netgroup declarations in > passwd and shadow files. I can still put '+someuser' or '-someuser' > in the passwd and shadow files and get normal compat behavior for > single user declarations. This was a product of the way I was testing U6. All of our U5 and lower boxes were being loaded via jumpstart that was originally configured to set up NIS before we switched to LDAP and not all the old files were removed from this installation so /etc/defaultdomain was being set by some crufty NIS stuff in our finish scripts. Something I didn't think was required for LDAP and is also not set when you install Solaris by hand from media. I was installing U6 from media and then converting it to use LDAP by hand and so no defaultdomain file. Sun support noticed it was not set and when I set it LDAP compat mode started to function again with netgroups. Through testing I found that it did not matter what the defaultdomain file had in it, just as long as it had something. > Anyone know what changed between Update 5 and Update 6 that would be > causing compat mode to no longer function with netgroups? I tried > to emulate our old compat configuration using pam_list, which was > included in Update 6 but not part of the standard pam.conf but I was > not able to get the module to function properly nor find any > examples of people implementing the new module. This was solved by Milan Jurik from Sun via this list. I was using the wrong line in pam.conf. It should be "other account required pam_list.so.1" but I chose to stick with compat mode after figuring out what was causing issues. pam_list requires all users to be in a kind of "default" netgroup for it to function properly. We have always made the default to be no netgroup and if you need access then you get added to one. pam_list functioned as advertised though, even with out the setting of defaultdomain. Thanks for the responses. ---------------------------------------------------- Cody Herriges - Lead Unix System Administrator MCECS - Portland State University _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Thu Apr 9 14:54:17 2009
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:13 EST