Disclaimer: You probably shouldn't try to require_membership_of
for root
. Is there ever a case where root
should not be able to login? You risk not being able to repair this machine without rebooting into single mode if something goes wrong (like its network going down).
I'll answer anyway.
TL;DR: If you want to enforce membership even for local users (root included), replace the first sufficient
with a requisite
.
require_membership_of
is only used in pam_winbind.c
in pam_sm_chauthtok
(involved in the management group password
) and pam_sm_authenticate
(involved in the management group auth
).
So if a user does not have the membership you require, the PAM step that will fail looks like:
auth [...] pam_winbind.so [...]
You do have one, but it's marked as sufficient
:
auth sufficient pam_winbind.so
So if it fails, PAM will keep going through its chain. Next stop:
auth sufficient pam_unix.so nullok try_first_pass
This one will succeed, if getent passwd root
returns a valid user, getent shadow root
(ran as root
) returns a valid encrypted password, and the password entered by the user matches.
I won't walk you through the rest, but nothing else will prevent root
from logging in.
I would refer you to pam.d(5)
for more information about the general PAM configuration mechanism, pam_unix(8)
& co for the various modules.
Best Answer
Assuming the groups are available to the Linux system, I recommend editing
/etc/security/access.conf
for Ubuntu, RedHat distributions (and their forks) and probably a bunch of others. This doesn't require editing PAM files, and is a nicely standard place to do it. There are usually examples in the file, commented out.