Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Winbind and pam - restrict all services except for samba access
Operating Systems Linux Red Hat Winbind and pam - restrict all services except for samba access Post 302594727 by klyne on Wednesday 1st of February 2012 04:47:51 AM
Old 02-01-2012
Winbind and pam - restrict all services except for samba access
Hi,

I have recently taken control of a number of RHEL5.3 servers that have samba shares setup on them and are authenticating using pam and winbind. My issue is that any user that has an active directory account can currently log in to the linux boxes using their ad credentials. I need to restrict all services except for samba access.

As a test to try and disable ssh I have tried adding the below line to /etc/pam.d/sshd but this has had the effect of stopping all new ssh connections. I hav also created the /etc/ssh_allow.pamlist file with the list of users that require access:

Code:
 
auth       required   pam_listfile.so onerr=fail item=user sense=allow file=/etc/ssh_allow.pamlist


/etc/pam.d/sshd

Code:
 
#%PAM-1.0
#auth       required   pam_listfile.so onerr=fail item=user sense=allow file=/etc/ssh_allow.pamlist
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

/etc/pam.d/system-auth-ac
Code:
 
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session required /lib/security/$ISA/pam_winbind.so use_first_pass

Any help would be greatly appreciated.

Thanks,
Keith
 

10 More Discussions You Might Find Interesting

1. Linux

Enable sudo for Win AD users authenticated with Linux samba winbind service

Hi everyone, I wonder if anyone ever came across the idea of unifying AD and Linux user accounts We have a Linux machine with 'samba' 'winbind' service configured to let Windows AD users to logon locally using their AD accounts and passwords. I can use 'su' to get to the local user privilege... (0 Replies)
Discussion started by: will_mike
0 Replies

2. SCO

Authentication problems with Active Directory/Samba/Winbind/Pam

Hi all. I'm having real trouble authenticating users against active directory for my SCO UnixWare 7.1.4 box running samba 3.0.24 (installed via Maintenance pack 4). I can list AD users/groups (after overcoming several hiccups) with wbinfo -g / wbinfo -u. I can use id to get a view an ad user ie:... (0 Replies)
Discussion started by: silk600
0 Replies

3. UNIX for Dummies Questions & Answers

Restrict user access.

Hi All, How can we restrict a particular user access to a particular shell in solaris 10. Thanks in Advance. (5 Replies)
Discussion started by: rama krishna
5 Replies

4. Red Hat

Restrict user access

Hi there I have an application user on my system that wants accesses to these file systems as such: rwx: /SAPO /SAPS12 /R3_888 /R3_888B /R3_888F /R3_888R r: /usr/sap these are the existing FS permissions:ownerships: # ls -ld /SAPO (9 Replies)
Discussion started by: hedkandi
9 Replies

5. Ubuntu

Restrict SUDO Access

Linux ubuntu 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux Hi Folks, Please help me. I am bit struck here. Here is the OS info. Linux ubuntu 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux I have a... (17 Replies)
Discussion started by: explorer007
17 Replies

6. Solaris

samba read write access to owner and no access to other users

Hi All, I want to configure samba share permission so that only directory creator/owner has a read and write permission and other users should not have any read/write access to that folder.Will that be possible and how can this be achieved within samba configuration. Regards, Sahil (1 Reply)
Discussion started by: sahil_shine
1 Replies

7. UNIX for Dummies Questions & Answers

Restrict access

I'm trying to use squid to restrict elinks' access to certain websites(only http traffic). I have tried some configs in squid.conf but no luck. Hope someone has a bit of time to explain me how can you make these config's :) ---------- Post updated at 05:40 PM ---------- Previous update was at... (1 Reply)
Discussion started by: Birnbacher
1 Replies

8. Red Hat

Samba/Winbind issue - Can't get user and group info from sub domains

Hi, We now have a Samba or Winbind issue. The Linux client under RHEL6 can not get Windows' AD sub-domain info. See the following output please. The main domain 'Global' is shown online, but the sub-domain 'Europe' and 'Asia' are shown offline although they are online. Commands 'wbinfo -u' and... (0 Replies)
Discussion started by: aixlover
0 Replies

9. AIX

Samba 3.6.22 on AIX 7.1 with Windows AD (Kerberos and winbind)

Hi all, I have installed samba 3.6.22 on AIX 7.1 and join a windows AD with success. All seem to work fine, I have configured smb.conf, methods.cfg, kerberos, user .... the following command work fine wbinfo -u, wbinfo -g, wbinfo -i, wbinfo -s, wbinfo -S, lsuser, id... The unique... (20 Replies)
Discussion started by: PhilippeA
20 Replies

10. UNIX for Advanced & Expert Users

Configure samba with PAM point 2 different LDAP

Hi, I would like to configure samba with PEM (with LDAP). I've already found, on the server, configured the PAM Authentication(with LDAP) for ssh. I wanted to know if it was possible to configure PAM for to authenticate to another LDAP only for SAMBA. Is possibile duplicate the... (2 Replies)
Discussion started by: mark888
2 Replies

LEARN ABOUT DEBIAN

pam_loginuid

PAM_LOGINUID(8) 						 Linux-PAM Manual						   PAM_LOGINUID(8)

NAME

       pam_loginuid - Record user's login uid to the process attribute

SYNOPSIS

       pam_loginuid.so [require_auditd]

DESCRIPTION

       The pam_loginuid module sets the loginuid process attribute for the process that was authenticated. This is necessary for applications to
       be correctly audited. This PAM module should only be used for entry point applications like: login, sshd, gdm, vsftpd, crond and atd. There
       are probably other entry point applications besides these. You should not use it for applications like sudo or su as that defeats the
       purpose by changing the loginuid to the account they just switched to.

OPTIONS

       require_auditd
	   This option, when given, will cause this module to query the audit daemon status and deny logins if it is not running.

MODULE TYPES PROVIDED

       Only the session module type is provided.

RETURN VALUES

       PAM_SESSION_ERR
	   An error occurred during session management.

EXAMPLES

	   #%PAM-1.0
	   auth       required	   pam_unix.so
	   auth       required	   pam_nologin.so
	   account    required	   pam_unix.so
	   password   required	   pam_unix.so
	   session    required	   pam_unix.so
	   session    required	   pam_loginuid.so

SEE ALSO

       pam.conf(5), pam.d(5), pam(7), auditctl(8), auditd(8)

AUTHOR

       pam_loginuid was written by Steve Grubb <sgrubb@redhat.com>

Linux-PAM Manual						    06/04/2011							   PAM_LOGINUID(8)
All times are GMT -4. The time now is 05:37 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy