On 07/06/2012 12:24 PM, joerabbi wrote:[color=blue]
How do I control who can log in from Active Directory?
I currently use Centrify for Active Directory control and am looking to
use the built in access in SLES. I have successfully joined the domain
and can log in with my Windows network account. How can I restrict who
can log in from the Windows side?
In CentrifyDC I can control remote access to the server and sudo rights
via AD groups.[/color]
Let’s say you only want “domain admins” to be able to login.
Create a directory for /usr/local/etc if it doesn’t exist.
Create a file called /usr/local/etc/allowgroups and place the following lines
inside:
root
domain admins
Next edit the file /etc/pam.d/common-auth and add the following at the top of
the rules there:
auth requisite pam_listfile.so item=group sense=allow
file=/usr/local/etc/allowgroups onerr=fail
Oh… and if possible, keep a root shell to host alive and leave it alone while
testing all of this (don’t want to shut out root for example if it’s needed,
etc. by making a typo… right?)
The test is pretty easy… if you try to ssh in as somebody NOT belonging to
either the group root or “domain admins”, you won’t even get an opportunity to
get at a password prompt via ssh.
Not saying this is the “best” way to do what you want… just presenting a
possibility… (do a man on pam_listfile, you can do something similar using an
allowed user list etch… and likewise, you could deny instead of allow).
Also, just general pam… I picked on auth. The pam_listfile works in just
about all management groups… e.g. session, etc.