Linux with winbind, disable local users while AD is available

active-directorypamwinbind

Routers and switches with RADIUS authentication can be configured such that login is disabled for locally configured users as long as the RADIUS server is available. If the RADIUS server becomes unavailable, they fall back to allowing login as a locally configured user.

Is it possible to achieve the same effect with Linux machines using winbind to authenticate Active Directory users? I have a feeling it could be done with the right PAM configuration, but I'm not very far along on the PAM learning curve…

Best Answer

Yes, it is possible.

Basically you will need to make sure that you have pam_unix below pam_winbind in your pam config like in following example:

auth       required     /lib/security/pam_securetty.so
auth       sufficient   /lib/security/pam_winbind.so
auth       sufficient   /lib/security/pam_unix.so use_first_pass
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    sufficient   /lib/security/pam_winbind.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so

You will also need to make sure nsswitch is configured to fall back to local ids:

passwd:     winbind files
shadow:     winbind files
group:      winbind files

There are detailed docs on samba website:

BUT: you may face some problems with long login times if you won't set up hard timeouts. I would also recommend to research for other alternatives that may work better in such cases.

Related Solutions

Samba – Linux authentication via ADS — allowing only specific groups in PAM

Disclaimer: You probably shouldn't try to require_membership_of for root. Is there ever a case where root should not be able to login? You risk not being able to repair this machine without rebooting into single mode if something goes wrong (like its network going down).

I'll answer anyway.

TL;DR: If you want to enforce membership even for local users (root included), replace the first sufficient with a requisite.

require_membership_of is only used in pam_winbind.c in pam_sm_chauthtok (involved in the management group password) and pam_sm_authenticate (involved in the management group auth).

So if a user does not have the membership you require, the PAM step that will fail looks like:

auth [...] pam_winbind.so [...]

You do have one, but it's marked as sufficient:

auth sufficient pam_winbind.so

So if it fails, PAM will keep going through its chain. Next stop:

auth sufficient pam_unix.so nullok try_first_pass

This one will succeed, if getent passwd root returns a valid user, getent shadow root (ran as root) returns a valid encrypted password, and the password entered by the user matches.

I won't walk you through the rest, but nothing else will prevent root from logging in.

I would refer you to pam.d(5) for more information about the general PAM configuration mechanism, pam_unix(8) & co for the various modules.

Linux – PAM with KRB5 to Active Directory – How to prevent update of AD password

But then when attempting to change the Linux password, if they provide their A/D password for the authentication prompt, they get the error:

passwd: Authentication token manipulation error

How is this a problem? If you want to update your Linux password you type in your current Linux password. Your requirement #2 is still satisfied. Do you have a 3rd requirement?

Allow a user to change their Linux password without first entering it.

Best Answer

Related Solutions

Samba – Linux authentication via ADS — allowing only specific groups in PAM

Linux – PAM with KRB5 to Active Directory – How to prevent update of AD password

Related Topic