PAM-modules Manual (split by chapter):   Section:   Chapter:FastBack: groupmember   Up: Top   FastForward: Reporting Bugs   Contents: Table of ContentsIndex: Concept Index

10 Check NIS netgroup

The pam_innetgr module checks if the user and current host match a triple in the NIS netgroup supplied via the ‘netgroup’ argument. It returns success if so, and ‘PAM_AUTH_ERR’ otherwise.

Another possible return values are: ‘PAM_AUTHINFO_UNAVAIL’, if the input information was not sufficient (e.g. the username was not supplied, or the module was unable to determine the host or domain name), and ‘PAM_SERVICE_ERR’, if a generic error condition (such as a lack of memory) occurred.

In order to determine host and domain name parts, the following approach is used. First, the ‘gethostname’ function is called to obtain the hostname part. If the ‘getdomainname’ function is available, it is used to determine the domain part. If the resulting domain part is ‘NULL’ or the string ‘(none)’, the ‘gethostbyname’ function is invoked with the hostname as its argument. The returned name (technically speaking, the ‘h_name’ member of the ‘struct hostent’) is used as the canonical name of the server. It is split on the first occurrence of the dot character. The second part is used as the domain name. The options described below control this process.

This module can be used in any PAM service stack.

10.1 Summary of pam_innetgr options

The following table summarizes the options specific for this module. See common options, for the list of common options.

netgroup=name

Name of the netgroup to use. This option is mandatory.

hostname=string

Defines the hostname of the current host. By default it is determined using the gethostname system call.

domainname=string

Defines the domainname of the current host.

nogetdomainname

Disable the use of getdomainname libc function. By default it is used to determine the domain name. If it fails or returns a string ‘(none)’, than the module tries to get the fully qualified name of the server and uses the part after the first dot as the domain name. Using the ‘nogetdomainname’ option instructs it to always use the latter method.

Never use this option together with ‘noresove’.

noresolve

Don’t fallback to obtaining the fully qualified domain name of the host from DNS in order to obtain the domain part. This means that if getdomainname call fails or is not available on your system, the module will return PAM_SERVICE_ERR.

Never use this option together with ‘nogetdomainname’.

sense={allow|deny}

What to do on success. The value ‘allow’ means to return PAM_SUCCESS, ‘deny’ means to return PAM_AUTH_ERR. Default is ‘allow’.

PAM-modules Manual (split by chapter):   Section:   Chapter:FastBack: innetgr   Up: innetgr   FastForward: Reporting Bugs   Contents: Table of ContentsIndex: Concept Index