Hey

I have been trying to get my head around this for a while, but it seems like I am overseeing something.

We started to configure this on SLES 11 SP3, and have it mitigated to SLES 12 as well.

What I am seeing is that any valid AD member is allowed to logon to the servers, there are no restrictions.
When we came up with this configuration I am sure it worked, but I might not remember correctly, or have tested it thoroughly enough.

Here is the output of my PAM files:

/etc/nsswitch.conf

# 2014 - Configuration file modified for AD Authentication

passwd: compat winbind
group: compat winbind
shadow: compat

hosts: files dns
networks: files dns

services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files

bootparams: files
automount: files nis
aliases: files

common-account

#%PAM-1.0
# 2014 - Configuration file modified for AD Authentication
account requisite pam_unix2.so
account sufficient pam_localuser.so
account required pam_winbind.so use_first_pass

common-auth

#%PAM-1.0
# 2014 - Configuration file modified for AD Authentication
auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_winbind.so use_first_pass
account [default=2 success=ignore] pam_succeed_if.so quiet uid >= 10000
account [default=ignore success=1] pam_succeed_if.so user ingroup DOMAIN\dlg_delegate_servers_standard_admin_prod
account [default=bad success=ignore] pam_succeed_if.so user ingroup DOMAIN\g1.servers_lcladmin.prod_standard_HOSTNAME

common-password

#%PAM-1.0
# 2014 - Configuration file modified for AD Authentication
password sufficient pam_winbind.so
password requisite pam_pwcheck.so nullok cracklib
password required pam_unix2.so use_authtok nullok

common-session:

#%PAM-1.0
# 2014 - Configuration file modified for AD Authentication
session optional pam_mkhomedir.so
session required pam_limits.so
session required pam_unix2.so
session required pam_winbind.so
session optional pam_umask.so

Any comments would be greatly appreciated.