Winbind PAM.D AD Groups, CentOS 5, Allow Only?

linux centos samba pam active-directory

7,495

PAM Winbind, is configured from this file, /etc/security/pam_winbind.conf.

To restrict access to uers in specified groups, add this line require_membership_of = [SID],[SID],[SID]

Replace the [SID] with the proper AD User, or Group, SID. You can find out what users/groups are assigned which SIDs, with this command. wbinfo -n [NAME]

Replace [NAME] with the specified AD User, or Group, name.

However this entire winbind situation should not exist, as you should normally opt for the traditional Kerberos+LDAP method.

7,495

J. M. Becker

Updated on September 18, 2022

Comments

J. M. Becker over 1 year

I'm attempting to create a configuration, where users in specified AD groups can log in. I'm having trouble stopping every AD user from logging in. I've been doing this though /etc/pam.d/sshd/ but is such a setup possible through /etc/pam.d/login? Wouldn't that be a safer option? I also really dislike winbind, and prefer the Kerberos+LDAP method, but unfortunately I'm not able to switch at this moment. I appreciate any help, as I've been reading for a while and have not found solid direction.

These are the current pam.d configuration files,

`/etc/pam.d/system-auth`

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

`/etc/pam.d/login`

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    optional     pam_keyinit.so force revoke
session    required     pam_loginuid.so
session    include      system-auth
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open

`/etc/pam.d/sshd`

#%PAM-1.0
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
account    sufficient   pam_succeed_if.so user ingroup DOMAIN\Group_1
account    sufficient   pam_succeed_if.so user ingroup DOMAIN\Group_2
account    sufficient   pam_succeed_if.so user ingroup DOMAIN\Group_3
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so