[SOLVED] PAM allow one usergroup and root from specified ip
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I think that could the problem be in the access.conf file syntax? I can't also allow in that file single domain account e.g.
+ : mydomainaccount : ALL
+ : mydomainaccount : mydomain.com
+ : mydomainaccount : .mydomain.com
+ : mydomainaccount : \MYDOMAIN
I didn't want to configure samba because I think that not all of my linux servers have it and also all of my linux servers have joined to domain same way.
So I solved this problem with pam.
Now I have following lines in /etc/pam.d/sshd:
auth sufficient pam_winbind.so try_first_pass require_membership_of=mydomaingroup
auth required pam_access.so
auth sufficient common-auth
I also put to file /etc/security/access.conf following lines:
+ : root : 192.168.1.10
- : ALL : ALL
Now we first check are the user loggin in member of mydomaingroup, if it is it rest of the pam lines will not be checked.
If the user logging in are not member of mydomaingroup, pam_access.so module will check are the user listed in access.conf file, if it is common-auth will ask its password.
well a solution is a solution. I'm a big fan of generic solutions rather than overly targeted ones, and you may want to look into the lack of AD groups being generically available in future (how are you managing root access for these users? sudo would want access to that group data too), but cool, as long as it works.