> The issue is with pam_group and /etc/security/group.conf.
I doubt that: /etc/security/group.conf is empty (apart from comments).
I have been tinkering with this every now and then and the problem won't
go away. It even seems to manifest itself at random!
For example, I created a user "testuser" for this purpose. It has no
local accounts anywhere (not even a matching uid), so it's a completely
LDAP-based user. On one machine (call it A) the user can
read /var/log/syslog, on another it cannot (call it B). On A, if the
user logs into a VT, it can read /var/log/sysl with and without an OpenAFS
PAG; when logged into X (always with a PAG), he can read it, too. But
when using ssh to log into A from the VT, suddlenly the user cannot read
the log any longer! However, logging in with ssh from B, the user CAN
read the log. Also, with the two users I observed this earlier, there
does not seem to be any logic what so ever, which user can read which
files and when.
How can I debug this further? I don't know how the kernel checks the
permissions, since apparently the output of "id" and what groups the
kernel thinks the user belongs to, differ. Perhaps tweaking nsswitch.conf
might help? Currently, the relevant part is
passwd: ldap [SUCCESS=return] compat
group: ldap [SUCCESS=return] compat
(I also tested with SUCCESS=continue on both lines.)
-Juha
--
-----------------------------------------------
| Juha Jäykkä, juolja@utu.fi |
| Laboratory of Theoretical Physics |
| Department of Physics, University of Turku |
| home: http://www.utu.fi/~juolja/ |
-----------------------------------------------
Attachment:
signature.asc
Description: PGP signature