limit Network Information Server (NIS) logins to a specific netgroup - Redhat

This is a discussion on limit Network Information Server (NIS) logins to a specific netgroup - Redhat ; i am trying to limit access to a client using netgroup, which i did many times in solaris, but RH has some different way of handling it. i was refering to this http://kbase.redhat.com/faq/FAQ_80_3558.shtm when i include the full path ( ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: limit Network Information Server (NIS) logins to a specific netgroup

  1. limit Network Information Server (NIS) logins to a specific netgroup

    i am trying to limit access to a client using netgroup, which i did
    many times in solaris, but RH has some different way of handling it.
    i was refering to this http://kbase.redhat.com/faq/FAQ_80_3558.shtm

    when i include the full path ( /lib/security/pam_access.so) in the pam
    files, it notes that the module is unknown.

    the file in the full path is ok.
    ls -l /lib/security/pam_access.so
    -rwxr-xr-x 1 root root 9696 Feb 18 2005 /lib/security/
    pam_access.so

    when i remove th full path and keep only the pam_access.so it will not
    limit access.

    /etc/security/access.conf was updated based on the example ( group was
    change to the according NIS netgroup that is working verified with
    ypcat for the nis client)

    do i need to make a change in nsswitch.conf or shadow file?
    any other idea why

    thanks

    Niro


  2. Re: limit Network Information Server (NIS) logins to a specific netgroup

    On Mar 5, 8:11 am, "Niro" wrote:
    > i am trying to limit access to a client using netgroup, which i did
    > many times in solaris, but RH has some different way of handling it.
    > i was refering to thishttp://kbase.redhat.com/faq/FAQ_80_3558.shtm
    >
    > when i include the full path ( /lib/security/pam_access.so) in the pam
    > files, it notes that the module is unknown.
    >
    > the file in the full path is ok.
    > ls -l /lib/security/pam_access.so
    > -rwxr-xr-x 1 root root 9696 Feb 18 2005 /lib/security/
    > pam_access.so
    >
    > when i remove th full path and keep only the pam_access.so it will not
    > limit access.
    >
    > /etc/security/access.conf was updated based on the example ( group was
    > change to the according NIS netgroup that is working verified with
    > ypcat for the nis client)
    >
    > do i need to make a change in nsswitch.conf or shadow file?
    > any other idea why
    >
    > thanks
    >
    > Niro



    what does your nsswitch.conf entry for netgroup look like now? It
    should be

    netgroup: files nis



  3. Re: limit Network Information Server (NIS) logins to a specific netgroup

    On Mar 6, 4:08 am, "Kalyan Manchikanti"
    wrote:
    > On Mar 5, 8:11 am, "Niro" wrote:
    >
    >
    >
    >
    >
    > > i am trying to limit access to a client using netgroup, which i did
    > > many times in solaris, but RH has some different way of handling it.
    > > i was refering to thishttp://kbase.redhat.com/faq/FAQ_80_3558.shtm

    >
    > > when i include the full path ( /lib/security/pam_access.so) in the pam
    > > files, it notes that the module is unknown.

    >
    > > the file in the full path is ok.
    > > ls -l /lib/security/pam_access.so
    > > -rwxr-xr-x 1 root root 9696 Feb 18 2005 /lib/security/
    > > pam_access.so

    >
    > > when i remove th full path and keep only the pam_access.so it will not
    > > limit access.

    >
    > > /etc/security/access.conf was updated based on the example ( group was
    > > change to the according NIS netgroup that is working verified with
    > > ypcat for the nis client)

    >
    > > do i need to make a change in nsswitch.conf or shadow file?
    > > any other idea why

    >
    > > thanks

    >
    > > Niro

    >
    > what does your nsswitch.conf entry for netgroup look like now? It
    > should be
    >
    > netgroup: files nis- Hide quoted text -
    >
    > - Show quoted text -




    it does:
    cat /etc/nsswitch.conf | grep netgroup
    netgroup: files nis



  4. Re: limit Network Information Server (NIS) logins to a specific netgroup

    On Mar 6, 9:13 am, "Niro" wrote:
    > On Mar 6, 4:08 am, "Kalyan Manchikanti"
    > wrote:
    >
    >
    >
    >
    >
    > > On Mar 5, 8:11 am, "Niro" wrote:

    >
    > > > i am trying to limit access to a client using netgroup, which i did
    > > > many times in solaris, but RH has some different way of handling it.
    > > > i was refering to thishttp://kbase.redhat.com/faq/FAQ_80_3558.shtm

    >
    > > > when i include the full path ( /lib/security/pam_access.so) in the pam
    > > > files, it notes that the module is unknown.

    >
    > > > the file in the full path is ok.
    > > > ls -l /lib/security/pam_access.so
    > > > -rwxr-xr-x 1 root root 9696 Feb 18 2005 /lib/security/
    > > > pam_access.so

    >
    > > > when i remove th full path and keep only the pam_access.so it will not
    > > > limit access.

    >
    > > > /etc/security/access.conf was updated based on the example ( group was
    > > > change to the according NIS netgroup that is working verified with
    > > > ypcat for the nis client)

    >
    > > > do i need to make a change in nsswitch.conf or shadow file?
    > > > any other idea why

    >
    > > > thanks

    >
    > > > Niro

    >
    > > what does your nsswitch.conf entry for netgroup look like now? It
    > > should be

    >
    > > netgroup: files nis- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > it does:
    > cat /etc/nsswitch.conf | grep netgroup
    > netgroup: files nis- Hide quoted text -
    >
    > - Show quoted text -


    Which services are you trying to use the pam module pam_access.so
    for ? I know you must have checked but it is worth checking it again,
    make sure you have the line

    account required pam_access.so

    right after the line

    account required pam_stack.so service=system-auth

    for all the services you want to restrict..

    Also, one more thing you can try is removing the line,

    +:ALL:LOCAL #Allow all local users to login

    from the /etc/security/access.conf..( this is pretty much useless
    unless you login directly as root).

    hth,
    Kalyan





  5. Re: limit Network Information Server (NIS) logins to a specific netgroup

    On Mar 6, 11:19 pm, "Kalyan Manchikanti"
    wrote:
    > On Mar 6, 9:13 am, "Niro" wrote:
    >
    >
    >
    >
    >
    > > On Mar 6, 4:08 am, "Kalyan Manchikanti"
    > > wrote:

    >
    > > > On Mar 5, 8:11 am, "Niro" wrote:

    >
    > > > > i am trying to limit access to a client using netgroup, which i did
    > > > > many times in solaris, but RH has some different way of handling it.
    > > > > i was refering to thishttp://kbase.redhat.com/faq/FAQ_80_3558.shtm

    >
    > > > > when i include the full path ( /lib/security/pam_access.so) in the pam
    > > > > files, it notes that the module is unknown.

    >
    > > > > the file in the full path is ok.
    > > > > ls -l /lib/security/pam_access.so
    > > > > -rwxr-xr-x 1 root root 9696 Feb 18 2005 /lib/security/
    > > > > pam_access.so

    >
    > > > > when i remove th full path and keep only the pam_access.so it will not
    > > > > limit access.

    >
    > > > > /etc/security/access.conf was updated based on the example ( group was
    > > > > change to the according NIS netgroup that is working verified with
    > > > > ypcat for the nis client)

    >
    > > > > do i need to make a change in nsswitch.conf or shadow file?
    > > > > any other idea why

    >
    > > > > thanks

    >
    > > > > Niro

    >
    > > > what does your nsswitch.conf entry for netgroup look like now? It
    > > > should be

    >
    > > > netgroup: files nis- Hide quoted text -

    >
    > > > - Show quoted text -

    >
    > > it does:
    > > cat /etc/nsswitch.conf | grep netgroup
    > > netgroup: files nis- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > Which services are you trying to use the pam module pam_access.so
    > for ? I know you must have checked but it is worth checking it again,
    > make sure you have the line
    >
    > account required pam_access.so
    >
    > right after the line
    >
    > account required pam_stack.so service=system-auth
    >
    > for all the services you want to restrict..
    >
    > Also, one more thing you can try is removing the line,
    >
    > +:ALL:LOCAL #Allow all local users to login
    >
    > from the /etc/security/access.conf..( this is pretty much useless
    > unless you login directly as root).
    >
    > hth,
    > Kalyan- Hide quoted text -
    >
    > - Show quoted text -


    the answer we found was actually modifing this line to:
    + : root : LOCAL #Allow all local users to login


    now it works and all local users can access too!?

    Niro


+ Reply to Thread