LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Enterprise (http://www.linuxquestions.org/questions/linux-enterprise-47/)
-   -   Problem With Using pam_listfile and Secondary Group-memberships in Active Directory (http://www.linuxquestions.org/questions/linux-enterprise-47/problem-with-using-pam_listfile-and-secondary-group-memberships-in-active-directory-842415/)

ferricoxide 11-04-2010 04:03 PM

Problem With Using pam_listfile and Secondary Group-memberships in Active Directory
 
Right now, I'm trying to push a large enterprise (several tens of thousands of users) into using centralized authentication for their growing population of RHEL 5.x servers. This enterprise is primarily Windows based. I've got people interested in using the winbind authentication. However, given the size of the operation, we can't just have anyone authenticatable through AD allowed to log into a system.

For some systems, use of the pam_winbind.conf would be sufficient. However, there are some systems that are shared by people in different AD groupings. So, I've been looking to leverage pam_listfile for that task. It looks like a good start, but seems to be falling down when I try to have it make its allow/deny decisions based on anything other than a user's primary AD group.

Given the complexity of the organizational structure in this enterprise, secondary group functionality is critical. I'm trying to determine if there's something I'm missing in my config or if my pam_listfile version is missing something.

RPM info for my pam subsystem is:


Code:

Name        : pam                          Relocations: (not relocatable)
Version    : 0.99.6.2                          Vendor: Red Hat, Inc.
Release    : 6.el5_4.1                    Build Date: Mon 08 Mar 2010 03:51:15 AM EST
Install Date: Wed 21 Jul 2010 03:22:41 PM EDT      Build Host: x86-001.build.bos.redhat.com
Group      : System Environment/Base      Source RPM: pam-0.99.6.2-6.el5_4.1.src.rpm
Size        : 2541468                          License: GPL or BSD
Signature  : DSA/SHA1, Wed 10 Mar 2010 07:18:18 AM EST, Key ID 5326810137017186



All times are GMT -5. The time now is 05:36 PM.