Hi all ,
I want to restrict ssh access to users of 2 groups.
But , from what I saw in pam_succeed_if documentation, it did not look possible. The issue is that one group is a mapped NT group via winbind , and one is a local group on the machine. Any ideas about this can be achieved?

NTgroup = OUusers
Local Group = server_admins

I want only these to be able to login.

Assume in smb.conf the imap uids / guids are starting here:

idmap uid = 16777216-33554431
idmap gid = 16777216-33554431

then the pam config file would look like this (in our case we're doing this for ssh access so this is the contents of /etc/pam.d/sshd)

#%PAM-1.0
auth include system-auth
auth sufficient pam_winbind.so
account required pam_nologin.so
account [default=2 success=ignore] pam_succeed_if.so quiet uid >= 16777216
account sufficient pam_succeed_if.so user ingroup windows_group_1
account required pam_succeed_if.so user ingroup windows_group_2
account include system-auth
password include system-auth
password sufficient pam_winbind.so use_authtok
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

every extra ingroup line you add, add 1 to default= . That defines the number of lines to skip if the condition isn't met i.e. it's a local id not an active directory id. The last of the ingroup lines should be set account required, all the others in front of it should be set account sufficient.

For some reason it was necessary to have this line in the system-auth-ac file, putting it in sshd directly didn't work:

auth sufficient pam_winbind.so use_first_pass

But your question is more about mixing and matching a local group and a windows group, not multiple windows groups (although I think there's some value to wanting to do that also). Here's our entire system-auth-ac file:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_winbind.so use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

"include" statements in the sshd file mean read in what you have in system-auth-ac (system-auth is an alias). So the line

account include system-auth

in the sshd file causes these lines:

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

to be read in - the first of which states use the standard Unix authentication modules i.e. /etc/passwrd etc. process. Well I think this is all ok - it's been holding up over the last two days.

Just wanted to point out (yes, I know this is an old thread, but shows up near the top of Google for "Pam Multiple Group" and a few other related topics), this suggested config would completely bypass the system-auth include line if the user is in the windows_group_1 group. The sufficient mode will immediately return success for that check. The way to require one of a set of requirements without breaking the basic checks in the include line is to change to the following:

account [default=ignore success=2] pam_succeed_if.so quiet uid < 16777216
account [default=ignore success=1] pam_succeed_if.so user ingroup windows_group_1
account [default=bad success=ignore] pam_succeed_if.so user ingroup windows_group_2

What happens here is it first checks if the user is local or not (same as OP suggested just flipped the compare to keep syntax the same) and skips the group checking if so (via success=2). Next, it checks for membership in windows_group_1, if a member, it skips out of the group checking and continues at the include system-auth line, otherwise it checks for membership in windows_group_2, and fails the account section if not in that group. You can add as many groups as you like here, just duplicate the windows_group_1 line and increment the numbers in the first two lines (success=3 and success=2, new line stays at success=1) so it will properly skip out of the group checking. The last check line should always have default=bad to fail the section. You probably want to add quiet to both the group checking lines as well so it doesnt log a failure every time someone in windows_group_2 logs in.

This basically sets up a logical OR across a bunch of checks. As shown here, it checks that UID is below a certain minimal value, or that the user is a member of one of either groups presented (ie: ( uid<$x || $user.ingroup(windows_group_1) || $user.ingroup(windows_group_2)) ).

tmack0: I really appreciate you concern. Thanks for taking the trouble to post this here.
Yes that surely seems is a better way of doin the multiple group thins. I will modify my pam config accordingly.

Thanks for the update tmack0. Very slick. So here's the whole file for your cutting and pasting pleasure, just watch out for the ^M at the end of each line that sometimes sneak in - dos2unix will get rid of them.

auth include system-auth
auth sufficient pam_winbind.so
account required pam_nologin.so
account [default=ignore success=2] pam_succeed_if.so quiet uid < 16777216
account [default=ignore success=1] pam_succeed_if.so user ingroup windows_group_1
account [default=bad success=ignore] pam_succeed_if.so user ingroup windows_group_2
account include system-auth
password include system-auth
password sufficient pam_winbind.so use_authtok
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel