Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 09-14-2017, 02:48 PM   #1
LQ Newbie
Registered: Oct 2015
Location: Grand Rapids, MI
Distribution: Red Hat, Ubuntu, Debian
Posts: 5

Rep: Reputation: Disabled
Question "Require_Membership_of" in pam_winbind.conf does nothing

I have 30 some servers that successfully authenticate against a Windows Domain. The problem isn't logging in. That works great. The problem is keeping all domain users from authenticating. I have created a number of AD groups to govern access to different groups of servers and am trying to implement the /etc/security/pam_winbind.conf file "require_membership_of = linux_users_group_name" operator to control access and it is not working. I have tried using names and using the GUID of the group and it's the same result.

I think this worked initially before I updated my Samba versions but I'm not 100% on that. Could be a wishful memory! Anyway, I've done a good bit of googling for a solution to this and I'm coming up with nothing. Any help would be greatly appreciated.



A little background:
Running Oracle Linux 5
uname: 2.6.39-400.297.3.el5uek #1 SMP Fri Jun 30 10:12:39 PDT 2017 x86_64 x86_64 x86_64 GNU/Linux

winbindd -V = Version 3.0.33-3.39.el5_8


workgroup = DomainName
realm = InternalDNS.corp
security = ads
template shell = /bin/bash
server string = Samba Server Version %v
netbios name = {hostname}
domain master = no
local master = no
preferred master = no
passdb backend = tdbsam
template homedir = /home/DOMAINNAME/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind enum users = yes::q
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
winbind offline logon = true
winbind separator = +
unix extensions = no
obey pam restrictions = Yes
smb passwd file = /etc/samba/secrets.tdb
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
restrict anonymous = 2
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
wins support = no
load printers = no
cups options = raw
min protocol = SMB2
idmap backend = tdb
idmap uid = 80000 - 99990
idmap gid = 80000 - 99990
passdb backend = tdbsam

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = InternalDNS.corp
# dns_lookup_realm = false
# dns_lookup_kdc = false
# ticket_lifetime = 24h
forwardable = yes
dns_lookup_realm = false
dns_lookup_kdc = false

InternalDNS.corp = {
InternalDNS.corp =
InternalDNS.corp =
kdc = WinDC1.InternalDNS.corp
kdc = WinDC2.InternalDNS.corp
kdc =

.InternalDNS.corp = InternalDNS.corp
InternalDNS.corp = InternalDNS.corp
InternalDNS.corp = InternalDNS.corp
.InternalDNS.corp = InternalDNS.corp

pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required
auth sufficient nullok try_first_pass
auth requisite uid >= 500 quiet
auth sufficient cached_login use_first_pass
auth required

account required
account sufficient uid < 500 quiet
account required

password requisite try_first_pass retry=3
password sufficient md5 shadow nullok try_first_pass use_authtok
password sufficient cached_login use_authtok
password required

session optional revoke
session required
session [success=1 default=ignore] service in crond quiet use_uid
session required
relevant lines from NSSwitch
passwd: files winbind
shadow: files winbind
group: files winbind

# pam_winbind configuration file
# /etc/security/pam_winbind.conf


# turn on debugging
;debug = yes

# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = yes

# authenticate using kerberos
;krb5_auth = yes

# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type = FILE

# make successful authentication dependend on membership of one SID
# (can also take a name)
require_membership_of = S-1-2-3-934785635639-123456789-987654321-19283
Old 09-27-2017, 11:14 AM   #2
LQ Newbie
Registered: Oct 2015
Location: Grand Rapids, MI
Distribution: Red Hat, Ubuntu, Debian
Posts: 5

Original Poster
Rep: Reputation: Disabled
This is now working as it should. Near as I can figure, this issue coincided with the change of the password on the domain admin account I used to join these servers to the domain. It seems odd to me that it would matter. Maybe that's a coincidence?

I'll leave this open for a bit in hopes that someone can enlighten me on this.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] "log_fqdn on" and "logformat" aren't included in the conf. file ?‏ ngiw2012 Linux - Software 3 06-05-2014 01:36 AM
"domain-name" and "host-name" options in dhcpd.conf m4rtin Linux - Server 3 09-20-2012 09:21 AM
xorg.conf : Explanation of "Viewport" and "Virtual" uncle-c Linux - Newbie 1 01-24-2011 12:04 PM
Problems configuring "xorg.conf" with "ATI FGLRX" BlueSpirit Slackware 3 09-16-2006 03:01 PM
"nv" to "nvidia" in xorg.conf causes X not to start jon2kx Ubuntu 10 09-05-2006 09:36 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:29 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration