Right now, I'm trying to push a large enterprise (several tens of thousands of users) into using centralized authentication for their growing population of RHEL 5.x servers. This enterprise is primarily Windows based. I've got people interested in using the winbind authentication. However, given the size of the operation, we can't just have anyone authenticatable through AD allowed to log into a system.
For some systems, use of the pam_winbind.conf would be sufficient. However, there are some systems that are shared by people in different AD groupings. So, I've been looking to leverage pam_listfile for that task. It looks like a good start, but seems to be falling down when I try to have it make its allow/deny decisions based on anything other than a user's primary
Given the complexity of the organizational structure in this enterprise, secondary group functionality is critical. I'm trying to determine if there's something I'm missing in my config or if my pam_listfile version is missing something.
RPM info for my pam subsystem is:
Name : pam Relocations: (not relocatable)
Version : 0.99.6.2 Vendor: Red Hat, Inc.
Release : 6.el5_4.1 Build Date: Mon 08 Mar 2010 03:51:15 AM EST
Install Date: Wed 21 Jul 2010 03:22:41 PM EDT Build Host: x86-001.build.bos.redhat.com
Group : System Environment/Base Source RPM: pam-0.99.6.2-6.el5_4.1.src.rpm
Size : 2541468 License: GPL or BSD
Signature : DSA/SHA1, Wed 10 Mar 2010 07:18:18 AM EST, Key ID 5326810137017186