Linux + Active directory authentication + only letting certain groups login

linux active-directory samba ldap winbind

51,323

Solution 1

Assuming the groups are available to the Linux system, I recommend editing /etc/security/access.conf for Ubuntu, RedHat distributions (and their forks) and probably a bunch of others. This doesn't require editing PAM files, and is a nicely standard place to do it. There are usually examples in the file, commented out.

Solution 2

(I'm talking about samba 3 here, no experience on samba 4 now.)

There is no need to edit those /etc/pam.d/xxx files. pam_winbind.conf is the file you want, it is usually located at /etc/security/pam_winbind.conf.

It is the configuration file of pam_winbind module, and it works for both CentOS/Redhat and Debian/Ubuntu. You can read the man page of pam_winbind.conf for reference.

Here is an example file.

#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#

[global]

# turn on debugging
;debug = no

# turn on extended PAM state debugging
;debug_state = no

# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
cached_login = yes

# authenticate using kerberos
;krb5_auth = no

# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =

# make successful authentication dependend on membership of one SID
# (can also take a name)
# require_membership_of = SID,SID,SID
require_membership_of = S-1-5-21-4255311587-2195296704-2687208041-1794

# password expiry warning period in days
;warn_pwd_expire = 14

# omit pam conversations
;silent = no

# create homedirectory on the fly
mkhomedir = yes

Solution 3

I currently use the AllowGroups directive in /etc/ssh/sshd_config to limit who's able to log in. Specify a one or more AD groups on that line, and those people will be the only ones able to log in.

Keep in mind that this only works if your users are only accessing the server remotely via ssh. If they're singing in locally, you'll need to find another solution.

Solution 4

Yes, there are a few ways of doing this depending on what you're trying to accomplish exactly.

The first method can be done through the samba config. This will only allow these users to connect to Samba, other users can still login through other services (ssh, local term, etc). With this, you'll want to add a line to your [global] section in smb.conf:

valid users = @groupA @groupB

The other method is by modifying PAM rules. Different distributions have slight differences here, but generally speaking there are PAM rules per service as well as common rules, you can decide what is best. You'll want to add an account restriction using the pam_require module. An example on my laptop (Fedora 13) would be to modify the account section in /etc/pam.d/system-auth to:

account     required      pam_unix.so
account     required      pam_require.so @groupA @groupB
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

To simplify administration, you might want to create a new group in AD for the purpose of tracking users that can login to this server.

Solution 5

I struggled with getting any of the above to work for me in RHEL 7. Below is what I was able to get to work.

/etc/sssd/sssd.conf

Change access_provider = ad to access_provider = simple + simple_allow_groups = @[email protected], @[email protected]

visudo

%[email protected] ALL=(ALL) ALL

restart the sssd service.

View more solutions

51,323

Luma

Updated on September 17, 2022

Comments

Luma almost 2 years

I have some linux boxes that use Windows Active Directory authentication, that works just fine (Samba + Winbind).

What I would like to do now though is only allow certain people or certain groups to login using Active Directory credentials. Currently anyone with a valid AD account can login. I want to limit this to only a few groups. Is this doable?
Luma almost 14 years

Thanks, this is what I ended up using to do what I wanted to do, all the answers above where great but this is the one that worked best for me. I use the Samba file to lock down Samba and now I am using this access.conf file to lock down SSH logins.
Geoffrey almost 9 years

Information is missing
FreeSoftwareServers almost 8 years

Link is dead, useless post.
Todd Walton over 6 years

I only see step 404. No 7 and 8.
Jiri B about 2 years

It seems pam_winbind(8) mentions require_membership_of options which should give access if the user is a member of the given SID or NAME. I don't know if it allows multiple values.