HPE Community
Operating System - HP-UX
1825815 Members
2869 Online
109688 Solutions
New Discussion

pwgrd gathering secondary groups while using LDAP - OS:1131

 
Seth Altschul
Advisor

‎07-16-2008 09:02 AM

‎07-16-2008 09:02 AM

pwgrd gathering secondary groups while using LDAP - OS:1131

System OS 11.31 LDAPUX 4.15 using PAM and tectia ssh 6.0.1

I have a need(su, sudo ect..) for the use of secondary groups to be available to the system for users that SSH to my 1131 servers and logon/authenticated by LDAP.

If i start /usr/sbin/pwgrd, the behavior is expected the id and groups command show all my secondary group memberships and su and sudo allow users to run commands that are defined to those secondary groups.

If i kill the pwgrd and then SSH back in, id and group only show my primary group and su/sudo do not allow users with group memberships to run those commands.

For security reasons i would like to turn off pwgrd, as this is the standard on our 1123 servers -- groups work properly on 1123 without the pwgrd running.

Does anyone have any information on how to get group memberships working correctly on 1131 with out the the pwgr?


0 Kudos
Reply
8 REPLIES 8
Patrick Wallek
Honored Contributor

‎07-16-2008 10:29 AM

‎07-16-2008 10:29 AM

Re: pwgrd gathering secondary groups while using LDAP - OS:1131

Since I don't have an 11.31 system to play with, I don't know if this will work.

See if you have a link for /etc/logingroup to /etc/group. If not, try creating one.

# ln -s /etc/group /etc/logingroup
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎07-16-2008 10:58 AM

‎07-16-2008 10:58 AM

Re: pwgrd gathering secondary groups while using LDAP - OS:1131

>For security reasons I would like to turn off pwgrd

What security do you gain?

pwgrd(1m) says you can disable it in /etc/rc.config.d/pwgr. It doesn't mention any drawbacks except for performance.
0 Kudos
Reply
kevin_m
Valued Contributor

‎07-16-2008 11:01 AM

‎07-16-2008 11:01 AM

Re: pwgrd gathering secondary groups while using LDAP - OS:1131

I have several 11.31 servers using LDAP for password authentication with Windows AD. We're not using pwgrd on any of them. One thing I did notice is that the id command won't show any secondary groups unless run by root. Any changes made to /etc/group or the sudoers file work as expected though. Are you having problems with SSH at all or just local authentication?

- Kevin
0 Kudos
Reply
Seth Altschul
Advisor

‎07-16-2008 12:22 PM

‎07-16-2008 12:22 PM

Re: pwgrd gathering secondary groups while using LDAP - OS:1131

Hello,

I did try the netgroup link a while back as this also popped up in a few other group threads and it made no diffrence. Thanks though...

This seems to happen only when ldap users SSH in. Root works fine along with any other local user. If i su - after SSHing in as root it also works as expected. I can log in at the console via my LDAP account and it seems to work fine as well.

Here is the security doc that I followed for
info on the security settings:
http://docs.hp.com/en/5187-2725/ch02s04.html

Thanks,

Seth
0 Kudos
Reply
kevin_m
Valued Contributor

‎07-16-2008 12:37 PM

‎07-16-2008 12:37 PM

Re: pwgrd gathering secondary groups while using LDAP - OS:1131

Check the file /etc/opt/ldapux/pam_authz.policy. If you're using a local security group for remote access then add it to the line starting with 'allow:unix_group'. Examples of this and using LDAP for security are in the file header.
0 Kudos
Reply
Seth Altschul
Advisor

‎07-16-2008 12:52 PM

‎07-16-2008 12:52 PM

Re: pwgrd gathering secondary groups while using LDAP - OS:1131

Hello Kevin,

For LDAP we are using netgroup authentication. I have the allow:netgroup populated in the pam_authz.policy file with the correct netgroups and authentication works fine.

Seth
0 Kudos
Reply
kevin_m
Valued Contributor

‎07-16-2008 01:21 PM

‎07-16-2008 01:21 PM

Re: pwgrd gathering secondary groups while using LDAP - OS:1131

I ran into the same problem a while ago trying to login as an LDAP user. It turned out to be a typo in the /etc/pam.conf file. I'm attaching a copy from one of my servers in case it helps.

- Kevin
0 Kudos
Reply
Gregory D Baker
Frequent Advisor

‎03-19-2009 07:52 PM

‎03-19-2009 07:52 PM

Re: pwgrd gathering secondary groups while using LDAP - OS:1131

I think the problem might have something to do with having a group longer than 8 characters.

I've just run into that bug on 11.11 systems which didn't have the long usernames patch.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.