Hi, all, sorry for not trying this earlier and now replying to myself, but I'm slowly making progress isolating the problem.
> Am 23.11.2015 um 15:42 schrieb Patrick M. Hausen <hau...@punkt.de>: > > Hi, all, > > I just upgraded an older system from 8.4 to 10.2 in a single go. > No unexpected problems, until I tried to use "su": > > $ su - > su: Sorry > > Well, I *am* a member of the wheel group: > > $ id > uid=10093(ry93) gid=10001(intern) > groups=10001(intern),0(wheel),10002(entwickler) > > Hmmm ... we pull all this information from LDAP. My nsswitch.conf has always > been: > > group: files cache ldap > passwd: files cache ldap And this part seems to be just as valid and working as before. I had the implicit assumption that su(1) was using something like getgroups() to determine if I am a member of "wheel" - which it doesn't. I even hacked up 5 lines of C to quickly get my supplementary group list and lo and behold: $ ./groups 10002 0 10001 So, it is not NSS' or LDAP's fault. I just looked at the source for su(1) and it looks like it uses PAM to check if I am authorized to su to root: retcode = pam_authenticate(pamh, 0); if (retcode != PAM_SUCCESS) { syslog(LOG_AUTH|LOG_WARNING, "BAD SU %s to %s on %s", username, user, mytty); errx(1, "Sorry"); My /etc/pam.d/system looks like this: ----------- system ----------- # # $FreeBSD: releng/10.2/etc/pam.d/system 197769 2009-10-05 09:28:54Z des $ # # System-wide defaults # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account #account required pam_krb5.so account required pam_login_access.so account required /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account required pam_unix.so # session #session optional pam_ssh.so want_agent session required pam_lastlog.so no_fail # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass ---------------------- And /etc/pam.d/su like this: ----------- su ----------- # # $FreeBSD: releng/10.2/etc/pam.d/su 219663 2011-03-15 10:13:35Z des $ # # PAM configuration for the "su" service # # auth auth sufficient pam_rootok.so no_warn auth sufficient pam_self.so no_warn auth requisite pam_group.so no_warn group=wheel root_only fail_safe ruser auth include system # account account include system # session session required pam_permit.so ---------------------- Any changes that I missed on the way from 8.4 to 10.2? Unfortunately I do not have an older 10.x system that runs with an Active Directory connection. Only 8.4 ones - this one was the first to finally get updated to a current FreeBSD version. As I stated this PAM configuration works as intended on 8.4. I generated the 10.2 files above by running mergemaster. Thanks, Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 _______________________________________________ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"