Allow only root and domain group to login on Linux server

active-directoryauthentication

I have successfully installed PBIS-open to authenticate against active directory. I also used the /opt/pbis/bin/config RequireMembershipOf command to allow a certain domain group to login.

I would now like to allow root, and the group(s) specified with the /opt/pbis/bin/config RequireMembershipOf command, and deny all other local users to login. Is there any way to do this?

Best Answer

If you would like to use pam_access in redhat and centos and so on, first you need to include the module in your pam configura as follow.

authconfig --update --enablepamaccess

Now you can configure which users that can use your server.

/etc/security/access.conf:

my example rules

+ : DOMAIN\admins : ALL
+ : root : ALL
- : ALL : ALL

If you use DOMAIN\ sintax in front of the users and groups, that would say you are using winbind, for AD join, I'm using pam_ldap with sfu in the windows side, for this reason in my comments I don't use the domain.

Now you have configured Pam for the users access control, but Now you need to be sure that sshd is using pam,

grep "UsePAM" /etc/ssh/sshd_config
UsePAM yes

If the UsePAM isn't yes, you need to change this to yes and restart sshd service

Related Solutions

Iis – Non-Domain IIS server authenticate on domain

I ran into a similar requirement when trying to figure out how to leverage Active Directory for BlogEngine.NET. After spending some time researching I was able to use Active Directory user accounts with the Basic Authentication .NET Membership framework.

This worked on my domain member web server but could easily work for non-domain member servers assuming you add the username and password to the configuration section of the web.config.

From my blog post about how to configure:

Add an entry into the section pointing to your domain controller.

<add name="ADConnectionString" connectionString="LDAP://server.domain.com/DC=domain,DC=com" />

Notice the first part of the LDAP:// syntax specifies the name of the domain controller (server.domain.com). You have a couple of options here. You can specify the Fully Qualified Domain Name as shown in the example; you can specify the relativeDistinguishedNamek (ex. server); you can specify the IP Address of the domain controller (ex. 192.168.1.10); or for more redundancy you can specify just the domain name (ex. domain.com).

Make your section look like the following:

<membership defaultProvider="MyADMembershipProvider">
      <providers>
        <add name="MyADMembershipProvider"
                 type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
                 connectionStringName="ADConnectionString"
                 attributeMapUsername="sAMAccountName"
                 enableSearchMethods="true"/>
      </providers>
</membership>

You will notice that I did not configure a username and password for connecting into Active Directory. That's because I am running BlogEngine on a domain member server and the IIS services are running under an application pool using Network Services account. If you must use explicit credentials then you can add connectionUsername and connectionPassword to the MyADMembershipProvider entry with the appropriate information.

Windows Active Directory – Command Line to List Users in a Group

try

dsget group "CN=GroupName,DC=domain,DC=name,DC=com" -members

Best Answer

Related Solutions

Iis – Non-Domain IIS server authenticate on domain

Windows Active Directory – Command Line to List Users in a Group

Related Topic