PDA

View Full Version : Winbind / PAM insufficient restrictions



sfolkmann
14-Jul-2015, 09:58
Hey

I have been trying to get my head around this for a while, but it seems like I am overseeing something.

We started to configure this on SLES 11 SP3, and have it mitigated to SLES 12 as well.

What I am seeing is that any valid AD member is allowed to logon to the servers, there are no restrictions.
When we came up with this configuration I am sure it worked, but I might not remember correctly, or have tested it thoroughly enough.

Here is the output of my PAM files:

/etc/nsswitch.conf

# 2014 - Configuration file modified for AD Authentication

passwd: compat winbind
group: compat winbind
shadow: compat

hosts: files dns
networks: files dns

services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files

bootparams: files
automount: files nis
aliases: files

common-account

#%PAM-1.0
# 2014 - Configuration file modified for AD Authentication
account requisite pam_unix2.so
account sufficient pam_localuser.so
account required pam_winbind.so use_first_pass

common-auth

#%PAM-1.0
# 2014 - Configuration file modified for AD Authentication
auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_winbind.so use_first_pass
account [default=2 success=ignore] pam_succeed_if.so quiet uid >= 10000
account [default=ignore success=1] pam_succeed_if.so user ingroup DOMAIN\dlg_delegate_servers_standard_admin_prod
account [default=bad success=ignore] pam_succeed_if.so user ingroup DOMAIN\g1.servers_lcladmin.prod_standard_HOSTNAME

common-password

#%PAM-1.0
# 2014 - Configuration file modified for AD Authentication
password sufficient pam_winbind.so
password requisite pam_pwcheck.so nullok cracklib
password required pam_unix2.so use_authtok nullok

common-session:

#%PAM-1.0
# 2014 - Configuration file modified for AD Authentication
session optional pam_mkhomedir.so
session required pam_limits.so
session required pam_unix2.so
session required pam_winbind.so
session optional pam_umask.so

Any comments would be greatly appreciated.

Automatic reply
20-Jul-2015, 05:30
sfolkmann,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your issue been resolved? If not, you might try one of the following options:

- Visit http://www.suse.com/support and search the knowledgebase and/or check all
the other support options available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.suse.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your SUSE Forums Team
http://forums.suse.com