Linux + Active directory authentication + only letting certain groups login

linux active-directory ldap samba winbind

I have some linux boxes that use Windows Active Directory authentication, that works just fine (Samba + Winbind).

What I would like to do now though is only allow certain people or certain groups to login using Active Directory credentials. Currently anyone with a valid AD account can login. I want to limit this to only a few groups. Is this doable?


Assuming the groups are available to the Linux system, I recommend editing /etc/security/access.conf for Ubuntu, RedHat distributions (and their forks) and probably a bunch of others. This doesn't require editing PAM files, and is a nicely standard place to do it. There are usually examples in the file, commented out.


(I'm talking about samba 3 here, no experience on samba 4 now.)

There is no need to edit those /etc/pam.d/xxx files. pam_winbind.conf is the file you want, it is usually located at /etc/security/pam_winbind.conf.

It is the configuration file of pam_winbind module, and it works for both CentOS/Redhat and Debian/Ubuntu. You can read the man page of pam_winbind.conf for reference.

Here is an example file.

#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#

[global]

# turn on debugging
;debug = no

# turn on extended PAM state debugging
;debug_state = no

# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
cached_login = yes

# authenticate using kerberos
;krb5_auth = no

# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =

# make successful authentication dependend on membership of one SID
# (can also take a name)
# require_membership_of = SID,SID,SID
require_membership_of = S-1-5-21-4255311587-2195296704-2687208041-1794

# password expiry warning period in days
;warn_pwd_expire = 14

# omit pam conversations
;silent = no

# create homedirectory on the fly
mkhomedir = yes

I currently use the AllowGroups directive in /etc/ssh/sshd_config to limit who's able to log in. Specify a one or more AD groups on that line, and those people will be the only ones able to log in.

Keep in mind that this only works if your users are only accessing the server remotely via ssh. If they're singing in locally, you'll need to find another solution.

Related

Displaying Nagios on a 52" 1080p screen
How to set Debug mode in Tornado?
SSD, Erase Block Size & LVM: PV on raw device, Alignment
Windows Scheduled Task - Error 2147943711 for "on startup" task
Possible to disable "You have new mail in /var/mail/root"?
PermError SPF Permanent Error: Void lookup limit of 2 exceeded
What is the noun that corresponds to the verb "to miss"?
Why do nouns and verbs which are stressed differently all exhibit the same variation?
Can someone help me diagram this sentence?
Confusing structures with modal verbs
Does the "she was found in violation of..." <-> "she was violated" equivalence have a name?
Should it be "mid 80s" or "mid-80s"?