Groups differ from the local ones when logging in remotely

Question

We store our users in LDAP, alongside some groups that have meaning across different systems (organizational roles including wheel). There are also groups local to workstations, e.g. audio or video that are not desirable to be put into LDAP. Now if I log in locally I get those local groups, but if I log in via SSH into the same machine I lack them. They of course come back, if I use su straight afterwards. I may be on the wrong track, but suspect PAM.

Relevant entries from nsswitch.conf

passwd:      compat ldap
shadow:      compat ldap
group:       compat ldap

As for pam, always the auth line, but the other lines are the same

/etc/pam.d/sshd

auth            include         system-remote-login

/etc/pam.d/system-remote-login (identical to system-local-login I might add)

auth            include         system-login

/etc/pam.d/system-login

auth            required        pam_tally2.so onerr=succeed
auth            required        pam_shells.so 
auth            required        pam_nologin.so 
auth            include         system-auth
auth            optional        pam_gnome_keyring.so

account         required        pam_access.so 
account         required        pam_nologin.so 
account         include         system-auth
account         required        pam_tally2.so onerr=succeed 

password        include         system-auth
password        optional        pam_gnome_keyring.so

session         optional        pam_loginuid.so
session         required        pam_env.so 
session         optional        pam_lastlog.so 
session         include         system-auth
session         optional        pam_gnome_keyring.so auto_start
session         optional        pam_motd.so motd=/etc/motd
session         optional        pam_mail.so

/etc/pam.d/su

auth       sufficient   pam_rootok.so
auth       required     pam_wheel.so use_uid
auth       include              system-auth

account    include              system-auth

password   include              system-auth

session    include              system-auth
session    required     pam_env.so
session    optional             pam_xauth.so

/etc/pam.d/common-auth:

auth    required     pam_group.so use_first_pass

What could be the problem and how would I solve it? I'm happy to provide other information needed.

What does your `/etc/nsswitch.conf` looks like for `group`? What is the output of `getent YOURUSERNAME`? Does your `/etc/pam.d/sshd` @include common-{session,auth,password,account}? — eppesuig, Jan 04 '13 at 13:23
I need to add a database for getent's commandline, which one should i query? @RahulPatil What do you mean exactly? What is the client to you? The machine connecting via ssh? — Max, Jan 04 '13 at 13:34
@Max do you want same groups via `ssh` login same as when you access via `su`. am i correct ? — Rahul Patil, Jan 04 '13 at 13:56
`getent group max` is empty, but that makes sense, this I don't have a group named after my user that I am part of and that command would query a group named max, right? @RahulPatil yes — Max, Jan 04 '13 at 14:06
@Max , sorry this is last question , if possible post your `/etc/pam.d/su` — Rahul Patil, Jan 04 '13 at 14:23
What's the operating system? And variant/distribution thereof? — Stéphane Chazelas, Jan 04 '13 at 15:16
Just to check: do you have `UsePAM yes` in `/etc/ssh/sshd_config` ? — peterph, Jan 04 '13 at 23:44
It is strange to me pam_ldap.so it not in any files, like "type sufficient pam_ldap.so". Also, "su" config uses " pam_xauth.so", where "ssh" config doesn't. Could you indicate which distro you are using? Pam packaging may vary. — Arcadien, Jan 17 '13 at 10:43
@Aurelien, when you have "shadow ldap", then pam_unix does the authentication retrieving the password info from nss. — Stéphane Chazelas, Jan 17 '13 at 15:29
I think you're off track suspecting PAM. More likely a NIS problem. PAM has no idea of groups at all; it's all done through libc when sshd calls initgroups. — Nicholas Wilson, Jan 19 '13 at 11:27
Actually, I slightly modify that: apparently some modules hook the pam_setcred call to establish user groups, which is why sshd calls initgroups _before_ pam_setcred. Hmmm. — Nicholas Wilson, Jan 19 '13 at 12:29
Not really to be honest. It's all true (apart from the fact that i checked that the uids and users always coincide) but doesn't really get me anywhere. — Max, Jan 23 '13 at 01:18

score 3 · Accepted Answer · edited Apr 05 '19 at 23:34

I took heart today and finally solved it. The pam chain works like this

/etc/pam.d/sshd includes:
- /etc/pam.d/system-remote-login that includes:
  - /etc/pam.d/system-login that includes:
    - /etc/pam.d/system-auth which has an optional requirement

Apparently the last include does not work for some reason. The reason why I was so puzzled so far was that I trusted that these includes would work, which wasn't the case. If someone can explain why I'd be very grateful. I know this because if i add the line

auth    optional  pam_group.so

into the /etc/pam.d/system-login then it works.

score 1 · Answer 2 · answered Jan 17 '13 at 23:32

The login program (which sets up your environment, including UID, GID and supplemental groups) gets data on username <--> UID, GID and the supplementary groups to which username belongs, from some sort of database. Traditionally from the /etc/passwd and /etc/groups files, today also from LDAP. Depending on the data source, the groups you get assigned can vary.

Be careful, if different sources are mixed you can very well end up with an account with the same name but different UIDs (the system really uses UID internally), or different sets of groups. The result is normally very entertaining for the casual onlooker, while leading to premature baldness due to extensive hair-pulling for the parties in charge. (Been there.)

score 0 · Answer 3 · edited Aug 27 '14 at 14:22

0

I had an almost similar problem: when logged in using ssh, some groups were missing. It has been solved by changing /etc/nsswitch.conf:

group:      compat  -> group:      files nis

edited Aug 27 '14 at 14:22

Nidal

8,856
11
55
74

answered Aug 27 '14 at 14:02

Jean-Francois Bocquet

1

score 0 · Answer 4 · edited Apr 13 '17 at 12:36

0

Into nsswitch.conf:

    group:          compat ldap

afaik this calls getgrent, which gets the groups (group entries)

EDIT: another thing is to add the following to /etc/pam.d/common-auth:

auth    required     pam_group.so use_first_pass

for more information have a look here: Assign local groups to users and maybe this newgrp-and-groups-assigned-via-pam-group-so

edited Apr 13 '17 at 12:36

Community

1

answered Feb 13 '13 at 06:26

xx4h

2,392
16
17

That line is already present just like that. – Max Feb 14 '13 at 11:02
maybe add it to "Relevant entries from nsswitch.conf" in your question. – xx4h Feb 14 '13 at 18:08
done and the edit didn't help unfortunately. – Max Feb 14 '13 at 18:45
did you do `pam-auth-update` and a nscd restart? – xx4h Feb 14 '13 at 19:14

Groups differ from the local ones when logging in remotely

4 Answers4

Linked