We store our users in LDAP, alongside some groups that have meaning across different systems (organizational roles including wheel
). There are also groups local to workstations, e.g. audio
or video
that are not desirable to be put into LDAP. Now if I log in locally I get those local groups, but if I log in via SSH into the same machine I lack them. They of course come back, if I use su
straight afterwards. I may be on the wrong track, but suspect PAM.
Relevant entries from nsswitch.conf
passwd: compat ldap
shadow: compat ldap
group: compat ldap
As for pam, always the auth line, but the other lines are the same
/etc/pam.d/sshd
auth include system-remote-login
/etc/pam.d/system-remote-login
(identical to system-local-login
I might add)
auth include system-login
/etc/pam.d/system-login
auth required pam_tally2.so onerr=succeed
auth required pam_shells.so
auth required pam_nologin.so
auth include system-auth
auth optional pam_gnome_keyring.so
account required pam_access.so
account required pam_nologin.so
account include system-auth
account required pam_tally2.so onerr=succeed
password include system-auth
password optional pam_gnome_keyring.so
session optional pam_loginuid.so
session required pam_env.so
session optional pam_lastlog.so
session include system-auth
session optional pam_gnome_keyring.so auto_start
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so
/etc/pam.d/su
auth sufficient pam_rootok.so
auth required pam_wheel.so use_uid
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
session required pam_env.so
session optional pam_xauth.so
/etc/pam.d/common-auth:
auth required pam_group.so use_first_pass
What could be the problem and how would I solve it? I'm happy to provide other information needed.
Best Answer
I took heart today and finally solved it. The pam chain works like this
/etc/pam.d/sshd
includes:/etc/pam.d/system-remote-login
that includes:/etc/pam.d/system-login
that includes:/etc/pam.d/system-auth
which has an optional requirementApparently the last include does not work for some reason. The reason why I was so puzzled so far was that I trusted that these includes would work, which wasn't the case. If someone can explain why I'd be very grateful. I know this because if i add the line
into the
/etc/pam.d/system-login
then it works.