LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-24-2006, 11:17 AM   #1
humbletech99
Member
 
Registered: Jun 2005
Posts: 374

Rep: Reputation: 30
PAM - only allow domain group members to log on via ssh?


Hi,
I want to allow only one group member from my domain to log in to my gentoo box. Having got the group id (15020), with my uderstanding of PAM, I've done:

Code:
auth       sufficient   pam_unix.so likeauth nullok
auth       sufficient   pam_winbind.so use_first_pass
auth       required     pam_deny.so

account    sufficient   pam_succeed_if.so gid=15020
account    required     pam_winbind.so
account    required     pam_unix.so

password   required     pam_cracklib.so retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so
session    sufficient   pam_mkhomedir.so skel=/etc/skel/ umask=0077
domain authentication works fine from before, but it doesn't stop domain users not in the 15020 mapped group from logging in. I've done various permutations of these PAM rules but haven't hit the spot yet, can anyone recommend anything?

Last edited by humbletech99; 01-24-2006 at 11:23 AM.
 
Old 01-24-2006, 11:42 AM   #2
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 117Reputation: 117
I don't see anything in "auth" about group 15020.
 
Old 01-24-2006, 11:47 AM   #3
humbletech99
Member
 
Registered: Jun 2005
Posts: 374

Original Poster
Rep: Reputation: 30
I also tried that but it also didn't do the trick, I read on a web page that account ... was the line to add.

I'm using 2 accounts to test, 1 in the group 1 outside. The changes I've made either allow both to log in or neither.

Is it possible that even when I've got the PAM right, it only compares the primary group that shows up when you do

Code:
getent passwd user
?

If so, this might explain something cos 15020 isn't the primary group of the user who is a member.
 
Old 01-24-2006, 11:53 AM   #4
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 117Reputation: 117
I would guess that it only works on the primary group id.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
all winbind members of same group paul_mat Linux - Networking 0 01-16-2006 05:46 PM
bash command that lists all members of a group by their real names quadmore Linux - Newbie 4 11-07-2005 10:46 AM
winbind: group members? eantoranz Linux - Software 0 11-01-2005 08:47 AM
Failing to log into ssh via ldap auth. Pam Problem? cehlers Linux - Security 1 10-10-2004 07:55 AM
Group members and rights EERookie Linux - Newbie 0 06-03-2004 08:19 AM


All times are GMT -5. The time now is 01:50 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration