[Novalug] samba, PAM and active directory

Miguel Gonzalez miguel_3_gonzalez@yahoo.es
Wed Feb 20 14:35:13 EST 2008


Hi,

  I want that users can log on (SSH and console) a
Debian box can do it through Active Directory. I still
want that root user can log on (SSH and console) so I
created a wheel group for that.

  I can log on successfully with all AD and root
users. However, I'd like to limit the AD users to the
technology domain group.

  I've googled a lot:

  http://ubuntuforums.org/showthread.php?t=547324

  but I can't figure out how to make it to work under
my Debian box.

  Here are my settings:
  
  #
# /etc/pam.d/common-account - authorization settings
common to all services
#
# This file is included from other service-specific
PAM config files,
# and should contain a list of the authorization
modules that define
# the central access policy for use on the system. 
The default is to
# only deny service to users whose accounts are
expired in /etc/shadow.
#

account sufficient    pam_succeed_if.so debug user
ingroup wheel
account sufficient      pam_succeed_if.so debug user
ingroup Technology

#
# /etc/pam.d/common-auth - authentication settings
common to all services
#
# This file is included from other service-specific
PAM config files,
# and should contain a list of the authentication
modules that define
# the central authentication scheme for use on the
system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The
default is to use the
# traditional Unix authentication mechanisms.
#
auth    sufficient      pam_unix.so debug
nullok_secure try_first_pass
auth    required        pam_winbind.so debug


#
# /etc/pam.d/common-password - password-related
modules common to all services
#
# This file is included from other service-specific
PAM config files,
# and should contain a list of modules that define 
the services to be
#used to change user passwords.  The default is
pam_unix

# The "nullok" option allows users to change an empty
password, else
# empty passwords are treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5
passwords)
#
# The "obscure" option replaces the old
`OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce
the length of the
# new password.

#password   required   pam_unix.so nullok obscure
min=4 max=8 md5

# Alternate strength checking for password. Note that
this
# requires the libpam-cracklib package to be
installed.
# You will need to comment out the password line above
and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB',
`CRACKLIB_DICTPATH')
#
# password required       pam_cracklib.so retry=3
minlen=6 difok=3
# password required       pam_unix.so use_authtok
nullok md5

auth    sufficient      pam_winbind.so
auth    required        pam_unix.so nullok obscure
min=4 max=8 md5 try_first_pass


#
# /etc/pam.d/common-session - session-related modules
common to all services
#
# This file is included from other service-specific
PAM config files,
# and should contain a list of modules that define
tasks to be performed
# at the start and end of sessions of *any* kind (both
interactive and
# non-interactive).  The default is pam_unix.
#
session         required        pam_unix.so debug
try_first_pass
session         required        pam_mkhomedir.so
skel=/etc/skel/ umask=0022
session         required        pam_winbind.so debug

I've created a test AD user that is not in the
Technology group. If I issue:

svn:/etc/pam.d# su - test
su: Permission denied
(Ignored)

the auth.log file gives:

Feb 20 13:45:27 svn su[6526]: pam_succeed_if: 'user'
resolves to 'test'
Feb 20 13:45:27 svn su[6526]: pam_succeed_if:
requirement "user ingroup wheel" not met by user
"test"
Feb 20 13:45:27 svn su[6526]: pam_succeed_if: 'user'
resolves to 'test'
Feb 20 13:45:27 svn su[6526]: pam_succeed_if:
requirement "user ingroup Technology" not met by user
"test"
Feb 20 13:45:27 svn su[6526]: Successful su for test
by root
Feb 20 13:45:27 svn su[6526]: + pts/0 root:test
Feb 20 13:45:27 svn su[6526]: (pam_unix) session
opened for user test by (uid=0)
Feb 20 13:45:27 svn pam_winbind[6526]: pam_winbind:
pam_sm_open_session handler (flags: 0x0000)

So is seeing that the test user is not part of any of
the allowed groups but still the user is being logged
on.

What am I doing wrong?

Thanks,

Miguel



  





       
______________________________________________ 
¿Con Mascota por primera vez? Sé un mejor Amigo. Entra en Yahoo! Respuestas http://es.answers.yahoo.com/info/welcome




More information about the Novalug mailing list