SUMMARY: passwd_compat and netgroups

From: Cody Herriges <>
Date: Thu Apr 09 2009 - 14:53:36 EDT
On Mar 12, 2009, at 7:08 PM, Cody Herriges wrote:

> We here have several different update versions on Solaris 10  
> installed through out our infrastructure that range from Update 2 to  
> Update 5.  We use 'passwd: compat' and 'passwd_compat: ldap' with  
> '+@somenetgroup' in our passwd and shadow files to control access to  
> these systems.  I have been trying to develop an Update 6 load,  
> primarily for the newer ZFS version to be used on a new x4540 and  
> have ran into a snag.  With the same configuration files we have  
> been using on our other loads, pam.conf, nsswitch.conf, and  
> ldap_client_file, or any variation I have attempted, compat mode  
> will not longer function properly with netgroup declarations in  
> passwd and shadow files.  I can still put '+someuser' or '-someuser'  
> in the passwd and shadow files and get normal compat behavior for  
> single user declarations.

This was a product of the way I was testing U6.  All of our U5 and  
lower boxes were being loaded via jumpstart that was originally  
configured to set up NIS before we switched to LDAP and not all the  
old files were removed from this installation so /etc/defaultdomain  
was being set by some crufty NIS stuff in our finish scripts.   
Something I didn't think was required for LDAP and is also not set  
when you install Solaris by hand from media.  I was installing U6 from  
media and then converting it to use LDAP by hand and so no  
defaultdomain file.  Sun support noticed it was not set and when I set  
it LDAP compat mode started to function again with netgroups.  Through  
testing I found that it did not matter what the defaultdomain file had  
in it, just as long as it had something.

> Anyone know what changed between Update 5 and Update 6 that would be  
> causing compat mode to no longer function with netgroups?  I tried  
> to emulate our old compat configuration using pam_list, which was  
> included in Update 6 but not part of the standard pam.conf but I was  
> not able to get the module to function properly nor find any  
> examples of people implementing the new module.

This was solved by Milan Jurik from Sun via this list.  I was using  
the wrong line in pam.conf.  It should be "other account required" but I chose to stick with compat mode after figuring  
out what was causing issues.  pam_list requires all users to be in a  
kind of "default" netgroup for it to function properly.  We have  
always made the default to be no netgroup and if you need access then  
you get added to one.  pam_list functioned as advertised though, even  
with out the setting of defaultdomain.

Thanks for the responses.

Cody Herriges - Lead Unix System Administrator
MCECS -  Portland State University
sunmanagers mailing list
Received on Thu Apr 9 14:54:17 2009

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:13 EST