access.conf with pam.d

[ScholesC]

Hi ALL,

we want to lock down server using access.conf ..
but we have issue on all of the OS version except centos5.10.

we have sa account and sa group.
$ id sa
uid=100335(sa) gid=100335(sa)

we only want sa account to be able to access this box , and other users in sa group should not be able to access this box.

we have this entry in /etc/pam.d/system-auth
account required pam_access.so nodefgroup
and this entry in /etc/security/access.conf
+ : sa : ALL
- : (sa) : ALL # may not needed
- : ALL : ALL EXCEPT LOCAL

it totaly doesn't work .. users in sa group can still access this box.. that means sa without parentheses will be searched group database ..

but the weird thing , is centos5.10 works with settings(access.conf and pam.d file) above , other OS version doesn't work ...


can you please help ? how I can lock down access for group on server when username and groupname are same ?

thanks,
David.

[ScholesC]

can anyone help pls ?

[ScholesC]

just FYI ,

talked to RHEL ..

it is fixed now .


>make sure to add following line in both /etc/pam.d/system-auth and /etc/pam.d/password-auth file:
> ---
> account required pam_access.so nodefgroup <------------