LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 08-02-2012, 03:31 AM   #16
hakkis
LQ Newbie
 
Registered: Aug 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled

In nsswitch.conf file are:

passwd: compat winbind
group: compat winbind

I think that could the problem be in the access.conf file syntax? I can't also allow in that file single domain account e.g.
+ : mydomainaccount : ALL
or
+ : mydomainaccount : mydomain.com
or
+ : mydomainaccount : .mydomain.com
or
+ : mydomainaccount : \MYDOMAIN
etc.
 
Old 08-02-2012, 03:37 AM   #17
hakkis
LQ Newbie
 
Registered: Aug 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
But line:
+ : MYDOMAIN\mydomainaccount : ALL

works.

This doesn't solve the problem, just testing and trying to understand this stuff.
 
Old 08-02-2012, 03:44 AM   #18
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967
so with winbind in nsswitch.conf, "wbinfo -g" shows your group but "getent passwd" doesn't?
 
Old 08-02-2012, 03:46 AM   #19
hakkis
LQ Newbie
 
Registered: Aug 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
Yes, wbinfo -g shows every domain group (MYDOMAIN\mygroup) and getent passwd shos only the local groups.
 
Old 08-02-2012, 03:53 AM   #20
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967
Hmm, ok. back a little to something I mentioned before with the enum options in smb.conf, maybe clearer in this guys reply - http://www.linuxquestions.org/questi...-login-885090/
 
Old 08-03-2012, 07:48 AM   #21
hakkis
LQ Newbie
 
Registered: Aug 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
I didn't want to configure samba because I think that not all of my linux servers have it and also all of my linux servers have joined to domain same way.

So I solved this problem with pam.

Now I have following lines in /etc/pam.d/sshd:
auth sufficient pam_winbind.so try_first_pass require_membership_of=mydomaingroup
auth required pam_access.so
auth sufficient common-auth

I also put to file /etc/security/access.conf following lines:
+ : root : 192.168.1.10
- : ALL : ALL

Now we first check are the user loggin in member of mydomaingroup, if it is it rest of the pam lines will not be checked.
If the user logging in are not member of mydomaingroup, pam_access.so module will check are the user listed in access.conf file, if it is common-auth will ask its password.

Thanks acid kewpie for advices.
 
Old 08-03-2012, 08:19 AM   #22
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967
well a solution is a solution. I'm a big fan of generic solutions rather than overly targeted ones, and you may want to look into the lack of AD groups being generically available in future (how are you managing root access for these users? sudo would want access to that group data too), but cool, as long as it works.
 
  


Reply

Tags
access control list, pam


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
root and passwd and pam (help) Linux_Kidd Linux - General 1 10-06-2011 10:52 AM
lfs usergroup presentation and logging aid imhanse Linux From Scratch 0 12-23-2009 05:42 PM
Cannot find adduser, usergroup command wisdom Fedora 11 08-15-2009 06:08 PM
Allow root access via PAM fw12 Fedora 3 02-17-2009 09:13 AM
strict usergroup ?? how to ?? help plz Mr.Bingles Linux - Networking 0 06-07-2004 02:03 AM


All times are GMT -5. The time now is 02:49 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration