Disclaimer: You probably shouldn't try to require_membership_of
for root
. Is there ever a case where root
should not be able to login? You risk not being able to repair this machine without rebooting into single mode if something goes wrong (like its network going down).
I'll answer anyway.
TL;DR: If you want to enforce membership even for local users (root included), replace the first sufficient
with a requisite
.
require_membership_of
is only used in pam_winbind.c
in pam_sm_chauthtok
(involved in the management group password
) and pam_sm_authenticate
(involved in the management group auth
).
So if a user does not have the membership you require, the PAM step that will fail looks like:
auth [...] pam_winbind.so [...]
You do have one, but it's marked as sufficient
:
auth sufficient pam_winbind.so
So if it fails, PAM will keep going through its chain. Next stop:
auth sufficient pam_unix.so nullok try_first_pass
This one will succeed, if getent passwd root
returns a valid user, getent shadow root
(ran as root
) returns a valid encrypted password, and the password entered by the user matches.
I won't walk you through the rest, but nothing else will prevent root
from logging in.
I would refer you to pam.d(5)
for more information about the general PAM configuration mechanism, pam_unix(8)
& co for the various modules.
But then when attempting to change the
Linux password, if they provide their
A/D password for the authentication
prompt, they get the error:
passwd: Authentication token
manipulation error
How is this a problem? If you want to update your Linux password you type in your current Linux password. Your requirement #2 is still satisfied. Do you have a 3rd requirement?
- Allow a user to change their Linux password without first entering it.
Best Answer
Yes, it is possible.
Basically you will need to make sure that you have pam_unix below pam_winbind in your pam config like in following example:
You will also need to make sure nsswitch is configured to fall back to local ids:
There are detailed docs on samba website:
BUT: you may face some problems with long login times if you won't set up hard timeouts. I would also recommend to research for other alternatives that may work better in such cases.