# Cant su with ldap [solved (sorta)]

## brjames

Hey, finally got LDAP authenticating on a client machine, but now I've found I cant use 'su'.  root can use su, but my users cant.  

These are the groups im a part of:

```

bash-2.05b$ groups

wheel floppy audio cdrom video games cdrw usb users portage

```

On the server this user can su to his hearts content (he exists in the main files as well).  Any clue as to how to fix this?

Thanks in advanceLast edited by brjames on Fri May 13, 2005 6:14 am; edited 1 time in total

----------

## brjames

Ok, so after some looking around its the following line in /etc/pam.d/su:

```

auth       required     /lib/security/pam_wheel.so use_uid

```

This line checks if the user in question is in the wheel group (or GID =10).

So apparently, even though the "groups" command says I'm in the wheel group, pam_wheel doesn't believe it.  Anybody know of a solution?  Or is this not a problem on your setu?

----------

## brjames

So after digging through the source for pam_wheel and groups, I see that instead of checking if one of the user's groups is wheel, pam_wheel checks to see if the user is among the members of the wheel group.

What's the difference?

Well, the problem is sort of in nsswitch.conf:

```

passwd:      files ldap

shadow:      files ldap

group:       files ldap

```

See how it checks the files before it checks ldap?  Well, a wheel group exists in the local files, so since thats found it doesn't check ldap.  Except none of my users exsist in the local files, so they surely arent members of wheel according to /etc/group

First solution:

Change /etc/nsswitch.conf to the following:

```

passwd:      files ldap

shadow:      files ldap

group:       ldap files

```

After some further thinking, and desiring to not have every single group lookup ever go to LDAP, I changed nsswitch.conf back and commented the wheel group out of the local /etc/group.  

I say its a sorta solution cuz it seems like this is not a universal fix.  I suppose it shows that its good practice to separate as much as possible ldap users&groups and local users&groups, but what if that wasn't possible?

Consider the portage group:  you dont want system users in the LDAP directory so you delete the user "portage" from LDAP.  But as a user you do want to test emerge output from your regular account so you keep the portage group and add certain users to it.  Of course the local machines still have the portage user, but they also have the portage group.  So now you have two separate portage groups, one which has the regular user and one which has the portage user.  What's to be done?

I suppose the proper solution is for nss to union the group memberships somehow... but that sounds very messy.  Perhaps it should just be accepted as a limitation of nss.

[Note that the example of portage is complete BS for 2 reasons: 1. The portage user _owns_ the portage files so it doesnt matter a whit what group he belongs to and 2. portage is nice and checks if a user is a member of a group not if a groups members include a user]

----------

## oleo

I also have the same problem, but I solved it!!!  :Laughing: 

This is the reference: http://ldots.org/ldap/

...and here my /etc/pam.d/su file:

```
#%PAM-1.0

auth       sufficient   /lib/security/pam_rootok.so

auth      sufficient   /lib/security/pam_ldap.so

auth       required     /lib/security/pam_wheel.so use_uid

auth       required   /lib/security/pam_stack.so service=system-auth

account    required   /lib/security/pam_stack.so service=system-auth

account    sufficient   /lib/security/pam_ldap.so

password   required   /lib/security/pam_stack.so service=system-auth

session    required   /lib/security/pam_stack.so service=system-auth

session    required     /lib/security/pam_env.so

session    sufficient   /lib/security/pam_ldap.so

session    optional   /lib/security/pam_xauth.so

```

Any other line is commented! Bye and good luck!

----------

## drak

 *oleo wrote:*   

> I also have the same problem, but I solved it!!! 
> 
> This is the reference: http://ldots.org/ldap/
> 
> 

 

I don't think you have solved it! Unfortunately this doesn't work as it should.

```

auth      sufficient   /lib/security/pam_ldap.so

```

means that if the user can be authenticated against ldap it will allow the user to su, this does not check that the user is in the wheel group and as such you may as well comment out the line.

```

auth       required     /lib/security/pam_wheel.so use_uid

```

----------

