PAM question

cisaksen · January 21, 2014, 9:35pm

Using SUSE 11 sp3 for VMWARE -

Samba/winbind I have followed several examples about how to setup a SAMBA share using AD authentication but not allowing AD users the ability to log in by any means. I have setup the samba share with the ad users explicitly set in the samba.conf. Then I would go into /etc/pam.d/common-auth and add after “auth required pam_winbind.so use_first_pass” [COLOR="#800080"]require_membership_of=[sid of domain admins][/COLOR] and this works except!!
At the top of the common-auth states: # This file is autogenerated by pam-config. All changes will be overwritten and they do.

So where would I set the require_membership_of= to restrict log in capabilities. Or is there a way to prevent pam-conf from overriding any changes, or is there a way to set them in pam-conf.

Thanks

mikewillis · January 25, 2014, 6:19pm

Well no one else has offered an answer yet, so I’m going to suggest one approach you could take would be to make /etc/pam.d/common-auth a file rather than a symlink to /etc/pam.d/common-auth-pc. That way pam-config won’t change it.

$ cd /etc/pam.d/ $ unlink common-auth $ grep -v ^# common-auth-pc > common-auth

Topic		Replies	Views
Winbind / PAM insufficient restrictions SLES Configure-Administer	1	204	July 20, 2015
Samba Question- AD authentication to shares SLES Configure-Administer	1	208	August 14, 2013
How to add AD user or group to a Local Linux Group SLES Configure-Administer	3	458	September 12, 2013
Managing AD Group Permissions SLES Configure-Administer	1	211	January 25, 2017
Samba with SSSD SLES Configure-Administer	4	330	April 26, 2018

PAM question

Related topics