# Active Directory accounts and su



## fortysix2 (Apr 2, 2012)

Hello,

I currently have a fresh install of FreeBSD 9 and I am having some trouble granting permissions to utilize the su service for network accounts. The server is linked to my Active Directory via Samba and Kerberos. I have successfully limited login access via console and SSH- based on membership of certain groups in AD. My final hurdle that I am trying to overcome is allowing certain groups in AD to utilize su. Based on what I have read I believe the correct approach to achieving this is to edit the /etc/pam.d/su configuration file. I first attempted to utilize the pam_winbind module the same way that I allowed access for sshd service but was not able to get it to work. I thought I remembered reading somewhere that the su service won't read this particular module so I reverted to using the pam_group module. I placed the following lines above the standard wheel requirement line.

Sample of /etc/pam.d/su:

```
auth    sufficient    pam_group.so    no_warn group=sec_webdev root_only fail_safe ruser
auth    sufficient    pam_group.so    no_warn group="dom admin" root_only fail_safe ruser
```

One of the accounts has a space in the name which is mildly frustrating. Are quotes the correct syntax for dealing with spaces in the group name?

I have searched and searched with no luck and also read the documentation but I am not sure if I am just missing something. Any input or recommendations would be greatly appreciated. I was trying to use the already established accounts and groups in our AD over creating new accounts locally on this server.

Thanks in advance.


----------



## gordon@ (Apr 4, 2012)

First thing to check is to make sure that the group membership is working. Try running `% getent group sec_webdev` and verify that it works.

After that, see if you can get just the first line to work. Using debug might help as well.


----------



## fortysix2 (Apr 6, 2012)

Thank you for the reply.

I moved my focus to just getting one of the groups to work properly based on your suggestion.

Typing the following command displays the desired group membership. 

`# getent group sec_webdev`

So it appears to be reading from AD correctly. 

I added one of the one of lines to /etc/pam.d/su to determine where the authentication process is failing. I also changed the options of the other PAM modules to debug to help trace what is happening.


```
auth    sufficient    pam_group.so    no_warn group=sec_webdev root_only ruser
```

Now when a user attempts to su with the above group membership it is successful. Unfortunately it does not prompt for the root password. A user account with out the group membership is declined as expected. I have assigned a password to the root account.

From what I can tell the below debug output of the process displays that pam_group.so is the module that is allowing the su to pass without a password being entered.


```
pam_rootok: pam_sm_authenticate: Refused; not superuser
```


```
pam_self: pam_sm_authenticate: Refused; source and target users differ
```

Pardon my lack of familiarity but should pam_group.so still require the password to be entered. I reviewed the pam_group documentation and I don't see or I missed any indication that this is desired. I would prefer a password still be required.

Thanks again.


----------

