Winbind PAM.D AD Groups, CentOS 5, Allow Only?
PAM Winbind, is configured from this file, /etc/security/pam_winbind.conf
.
To restrict access to uers in specified groups, add this line
require_membership_of = [SID],[SID],[SID]
Replace the [SID]
with the proper AD User, or Group, SID. You can find out what users/groups are assigned which SIDs, with this command. wbinfo -n [NAME]
Replace [NAME]
with the specified AD User, or Group, name.
However this entire winbind situation should not exist, as you should normally opt for the traditional Kerberos+LDAP method.
Related videos on Youtube
J. M. Becker
Updated on September 18, 2022Comments
-
J. M. Becker over 1 year
I'm attempting to create a configuration, where users in specified AD groups can log in. I'm having trouble stopping every AD user from logging in. I've been doing this though
/etc/pam.d/sshd/
but is such a setup possible through/etc/pam.d/login
? Wouldn't that be a safer option? I also really dislikewinbind
, and prefer the Kerberos+LDAP method, but unfortunately I'm not able to switch at this moment. I appreciate any help, as I've been reading for a while and have not found solid direction.These are the current pam.d configuration files,
/etc/pam.d/system-auth
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
/etc/pam.d/login
#%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session optional pam_keyinit.so force revoke session required pam_loginuid.so session include system-auth session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open
/etc/pam.d/sshd
#%PAM-1.0 auth include system-auth account required pam_nologin.so account include system-auth account sufficient pam_succeed_if.so user ingroup DOMAIN\Group_1 account sufficient pam_succeed_if.so user ingroup DOMAIN\Group_2 account sufficient pam_succeed_if.so user ingroup DOMAIN\Group_3 password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so