Problem:
Any domain user can log in to my linux servers if I join them to the domain.
Solution:
Use pam_listfile to limit it to one specific group.
Followed this guide
http://www.cyberciti.biz/tips/howto-...oup-login.html
Result: Will not work! :-p
Put the following line in my /etc/pam.d/system-auth file:
auth required /lib/security/$ISA/pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed
Added the correct AD group to the login.group.allowed file and no worky..
I cannot log in to the server with a domain user in that group. If I remove that line and\or change item=group to user and add my test user id to it it works fine.
messages shows this:
Sep 14 16:23:26 servername sshd[17839]: PAM-listfile: Refused user testid for service sshd
Sep 14 16:23:26 servername sshd(pam_unix)[17839]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.1.1 user=testid
Sep 14 16:23:26 servername sshd[17839]: pam_winbind(sshd): user 'testid' granted access
Any ideas would be GREATLY appreciated.. I am banging my head on the wall on this one and it is probably something stupid I am just overlooking.
Thanks
r3z