Pam.d and make difference between AD User and local user on Linux


Login or Register for Dates, Times and to Reply

 
Thread Tools Search this Thread
# 1  
Pam.d and make difference between AD User and local user on Linux

Hello,

i configured rhel linux 6 with AD directory to authorize windows users to connect on the system and it works.

i have accounts with high privileges (oracle for example) if an account is created on the AD server i would to block him.

I looked for how to do, for the moment all the examples used group on the Ad server but i would like to manage this from linux server. Do you have an idea ?

Regards,

Vincenzo
# 2  
How are you connected to Active Directory? Are you using sssd auth? If so, you can use a value in /etc/sssd/sssd.conf:
Code:
allow_simple_groups = onlythisone, orthisgroup/

If you are using nscd/nslcd which use a more traditional ldap method, there's an option somewhere for your ldap search string. You can write a query that matches just the groups or users you want to allow.

Last edited by bgstack15; 10-05-2018 at 11:20 AM.. Reason: fix tags
# 3  
Hi,

Thanks bgstack15 for your answer.
i use sssd , the allow_simple_group use groups from the AD or local group ?

Vincent
# 4  
Finally i found the solution

modify both files /etc/pam.d/system-auth-ac as well as /etc/pam.d/password-auth-ac

Add for the user test this line

auth requisite pam_succeed_if.so user != test

Put the line like below:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth requisite pam_succeed_if.so user != test <-- The entry should be added here.

Vincenzo
Login or Register for Dates, Times and to Reply

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

Test Your Knowledge in Computers #821
Difficulty: Easy
HTML5 is a software solution stack that defines the properties and behaviors of web page content by implementing a markup based pattern to it.
True or False?

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

How to Switch from Local user to root user from a shell script?

Hi, I need to switch from local user to root user in a shell script. I need to make it automated so that it doesn't prompt for the root password. I heard the su command will do that work but it prompt for the password. and also can someone tell me whether su command spawns a new shell or... (1 Reply)
Discussion started by: Little
1 Replies

2. Red Hat

PAM: Unlock user account after 30mins

Hi We have these specific requirements for a bunch of servers we have and cannot seem to get pam to behave in this way. We would like: PAM locks accounts if pam tally reaches 10. PAM unlocks the account after 30mins from locking it, and resets the pam_tally. The key is that we don't... (0 Replies)
Discussion started by: snoop2048
0 Replies

3. UNIX for Dummies Questions & Answers

Local User

How to fetch only local user without duplication from /etc/passwd using scripting?? (4 Replies)
Discussion started by: AhmedLakadkutta
4 Replies

4. Solaris

Cant ssh for a local user

Here is the log im pasting for verbose ssh: -bash-2.05b$ ssh -v qa_fnp@10.41.11.23 OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will... (5 Replies)
Discussion started by: kirtikjr
5 Replies

5. Shell Programming and Scripting

switch user from local user to root in perl

Hi Gurus, I have a script that requires me to switch from local user to root. Anyone who has an idea on this since when i switch user to root it requires me to input root password. It seems that i need to use expect module here, but i don't know how to create the object for this. ... (1 Reply)
Discussion started by: linuxgeek
1 Replies

6. UNIX for Advanced & Expert Users

Determining if user is local-user in /etc/passwd or LDAP user

Besides doing some shell-script which loops through /etc/passwd, I was wondering if there was some command that would tell me, like an enhanced version of getent. The Operating system is Solaris 10 (recent-ish revision) using Sun DS for LDAP. (5 Replies)
Discussion started by: ckmehta
5 Replies

7. OS X (Apple)

Ho do I masquerade the "user@user.local" address in mail/mailx?

Hi, I'm brand new here and looking for a solution: I'm using mail or mailx. The default reply address is «myshortusername@mylongusername.local» which makes absolutely no sense for anybody receiving my emails. But how do I change it? There seem to be many solutions but none for Mac OS X.... (0 Replies)
Discussion started by: gczychi
0 Replies

8. UNIX for Dummies Questions & Answers

Difference between : Locked User Account & Disabled User Accounts in Linux ?

Thanks AVKlinux (3 Replies)
Discussion started by: avklinux
3 Replies

9. UNIX for Dummies Questions & Answers

local user ip

how can i find my own ip address from unix. command like who -x .this would provide all the ip address but i need to list only current user ip address. who am i command does not display the ip. (9 Replies)
Discussion started by: naushad
9 Replies

10. UNIX for Dummies Questions & Answers

local user ip

how can i find my own ip address from unix. command like who -x .this would provide all the ip address but i need to list only current user ip address. who am i command does not display the ip. (1 Reply)
Discussion started by: naushad
1 Replies

Featured Tech Videos