[Novalug] samba, PAM and active directory
Miguel Gonzalez
miguel_3_gonzalez@yahoo.es
Wed Feb 20 14:35:13 EST 2008
Hi,
I want that users can log on (SSH and console) a
Debian box can do it through Active Directory. I still
want that root user can log on (SSH and console) so I
created a wheel group for that.
I can log on successfully with all AD and root
users. However, I'd like to limit the AD users to the
technology domain group.
I've googled a lot:
http://ubuntuforums.org/showthread.php?t=547324
but I can't figure out how to make it to work under
my Debian box.
Here are my settings:
#
# /etc/pam.d/common-account - authorization settings
common to all services
#
# This file is included from other service-specific
PAM config files,
# and should contain a list of the authorization
modules that define
# the central access policy for use on the system.
The default is to
# only deny service to users whose accounts are
expired in /etc/shadow.
#
account sufficient pam_succeed_if.so debug user
ingroup wheel
account sufficient pam_succeed_if.so debug user
ingroup Technology
#
# /etc/pam.d/common-auth - authentication settings
common to all services
#
# This file is included from other service-specific
PAM config files,
# and should contain a list of the authentication
modules that define
# the central authentication scheme for use on the
system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The
default is to use the
# traditional Unix authentication mechanisms.
#
auth sufficient pam_unix.so debug
nullok_secure try_first_pass
auth required pam_winbind.so debug
#
# /etc/pam.d/common-password - password-related
modules common to all services
#
# This file is included from other service-specific
PAM config files,
# and should contain a list of modules that define
the services to be
#used to change user passwords. The default is
pam_unix
# The "nullok" option allows users to change an empty
password, else
# empty passwords are treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5
passwords)
#
# The "obscure" option replaces the old
`OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce
the length of the
# new password.
#password required pam_unix.so nullok obscure
min=4 max=8 md5
# Alternate strength checking for password. Note that
this
# requires the libpam-cracklib package to be
installed.
# You will need to comment out the password line above
and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB',
`CRACKLIB_DICTPATH')
#
# password required pam_cracklib.so retry=3
minlen=6 difok=3
# password required pam_unix.so use_authtok
nullok md5
auth sufficient pam_winbind.so
auth required pam_unix.so nullok obscure
min=4 max=8 md5 try_first_pass
#
# /etc/pam.d/common-session - session-related modules
common to all services
#
# This file is included from other service-specific
PAM config files,
# and should contain a list of modules that define
tasks to be performed
# at the start and end of sessions of *any* kind (both
interactive and
# non-interactive). The default is pam_unix.
#
session required pam_unix.so debug
try_first_pass
session required pam_mkhomedir.so
skel=/etc/skel/ umask=0022
session required pam_winbind.so debug
I've created a test AD user that is not in the
Technology group. If I issue:
svn:/etc/pam.d# su - test
su: Permission denied
(Ignored)
the auth.log file gives:
Feb 20 13:45:27 svn su[6526]: pam_succeed_if: 'user'
resolves to 'test'
Feb 20 13:45:27 svn su[6526]: pam_succeed_if:
requirement "user ingroup wheel" not met by user
"test"
Feb 20 13:45:27 svn su[6526]: pam_succeed_if: 'user'
resolves to 'test'
Feb 20 13:45:27 svn su[6526]: pam_succeed_if:
requirement "user ingroup Technology" not met by user
"test"
Feb 20 13:45:27 svn su[6526]: Successful su for test
by root
Feb 20 13:45:27 svn su[6526]: + pts/0 root:test
Feb 20 13:45:27 svn su[6526]: (pam_unix) session
opened for user test by (uid=0)
Feb 20 13:45:27 svn pam_winbind[6526]: pam_winbind:
pam_sm_open_session handler (flags: 0x0000)
So is seeing that the test user is not part of any of
the allowed groups but still the user is being logged
on.
What am I doing wrong?
Thanks,
Miguel
______________________________________________
¿Con Mascota por primera vez? Sé un mejor Amigo. Entra en Yahoo! Respuestas http://es.answers.yahoo.com/info/welcome
More information about the Novalug
mailing list