So I have spent way to much time trying to get this to work. I got, what I thought, would be the hard part done easily, and that was simply being able to login to by linux box with an AD account. But my issue is account I setup the Unix attributes with in AD can login to my box. So I've been struggling with access control. I have sort of been focusing on using pam_access and using the /etc/security/access.conf file to control this, but no matter what I do it doesn't seam to be taking affect... Here are some of my configs that might show, hopefully something I am doing wrong.
=================
/etc/ldap.conf
=================
host 10.1.1.101
base dc=lab001,dc=local
uri ldap://swllabdc01.lab001.local
#binddn
ldapbind@lab001.local
binddn CN=LDAPBIND,OU=Linux-Users,DC=LAB001,DC=local
bindpw xxxxxxxx
pam_groupdn CN=RHEL4Users,OU=Linux-Users,DC=LAB001,DC=local
pam_member_attribute memberUid
scope sub
ssl no
nss_base_passwd dc=lab001,dc=local?sub
nss_base_shadow dc=lab001,dc=local?sub
#nss_base_group dc=lab001,dc=local?sub?&(objectCategory=group)(gidnumber=*)
nss_base_group CN=RHEL4Users,OU=Linux-Users,DC=LAB001,DC=local?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
pam_password md5
~
==================
/etc/krb5.conf
==================
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LAB001.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
LAB001.LOCAL = {
kdc = SWLLABDC01.LAB001.LOCAL:88
admin_server = SWLLABDC01.LAB001.LOCAL:749
default_domain = LAB001.LOCAL
}
[domain_realm]
.lab001.local = LAB001.LOCAL
lab001.local = LAB001.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
~
=====================
/etc/pam.d/system-auth
======================
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_krb5.so
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_krb5.so
account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_succeed_if.so uid < 100 quiet
account required /lib/security/pam_deny.so
#account required /lib/security/pam_access.so
account [default=bad success=ok user_unknown=ignore] /lib/security/pam_access.so
password requisite /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
~
====================
/etc/security/access.conf
=====================
+:root:ALL
#+:t1zdh:ALL
-:ALL:ALL
So I was testing with the t1zdh account which is a test account, trying to see if this would not allow that account to login. I even tried just doing -:ALL:ALL and I could still login so it doesn't look like its even being applied.
I'm sure I'm doing something horribly wrong so any help would be greatly appreciated.