LinuxQuestions.org - PAM - only allow domain group members to log on via ssh?

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - PAM - only allow domain group members to log on via ssh? (https://www.linuxquestions.org/questions/linux-networking-3/pam-only-allow-domain-group-members-to-log-on-via-ssh-407426/)

PAM - only allow domain group members to log on via ssh?

Hi,
I want to allow only one group member from my domain to log in to my gentoo box. Having got the group id (15020), with my uderstanding of PAM, I've done:

Code:

auth      sufficient  pam_unix.so likeauth nullok

auth      sufficient  pam_winbind.so use_first_pass

auth      required    pam_deny.so



account    sufficient  pam_succeed_if.so gid=15020

account    required    pam_winbind.so

account    required    pam_unix.so



password  required    pam_cracklib.so retry=3

password  sufficient  pam_unix.so nullok md5 shadow use_authtok

password  required    pam_deny.so



session    required    pam_limits.so

session    required    pam_unix.so

session    sufficient  pam_mkhomedir.so skel=/etc/skel/ umask=0077

domain authentication works fine from before, but it doesn't stop domain users not in the 15020 mapped group from logging in. I've done various permutations of these PAM rules but haven't hit the spot yet, can anyone recommend anything?

I don't see anything in "auth" about group 15020.

I also tried that but it also didn't do the trick, I read on a web page that account ... was the line to add.

I'm using 2 accounts to test, 1 in the group 1 outside. The changes I've made either allow both to log in or neither.

Is it possible that even when I've got the PAM right, it only compares the primary group that shows up when you do

Code:

getent passwd user

?

If so, this might explain something cos 15020 isn't the primary group of the user who is a member.

I would guess that it only works on the primary group id.