Results 1 to 2 of 2

Thread: Winbind / PAM insufficient restrictions

Hybrid View

  1. #1

    Winbind / PAM insufficient restrictions

    Hey

    I have been trying to get my head around this for a while, but it seems like I am overseeing something.

    We started to configure this on SLES 11 SP3, and have it mitigated to SLES 12 as well.

    What I am seeing is that any valid AD member is allowed to logon to the servers, there are no restrictions.
    When we came up with this configuration I am sure it worked, but I might not remember correctly, or have tested it thoroughly enough.

    Here is the output of my PAM files:

    /etc/nsswitch.conf

    # 2014 - Configuration file modified for AD Authentication

    passwd: compat winbind
    group: compat winbind
    shadow: compat

    hosts: files dns
    networks: files dns

    services: files
    protocols: files
    rpc: files
    ethers: files
    netmasks: files
    netgroup: files nis
    publickey: files

    bootparams: files
    automount: files nis
    aliases: files

    common-account

    #%PAM-1.0
    # 2014 - Configuration file modified for AD Authentication
    account requisite pam_unix2.so
    account sufficient pam_localuser.so
    account required pam_winbind.so use_first_pass

    common-auth

    #%PAM-1.0
    # 2014 - Configuration file modified for AD Authentication
    auth required pam_env.so
    auth sufficient pam_unix2.so
    auth required pam_winbind.so use_first_pass
    account [default=2 success=ignore] pam_succeed_if.so quiet uid >= 10000
    account [default=ignore success=1] pam_succeed_if.so user ingroup DOMAIN\dlg_delegate_servers_standard_admin_prod
    account [default=bad success=ignore] pam_succeed_if.so user ingroup DOMAIN\g1.servers_lcladmin.prod_standard_HOSTNAME

    common-password

    #%PAM-1.0
    # 2014 - Configuration file modified for AD Authentication
    password sufficient pam_winbind.so
    password requisite pam_pwcheck.so nullok cracklib
    password required pam_unix2.so use_authtok nullok

    common-session:

    #%PAM-1.0
    # 2014 - Configuration file modified for AD Authentication
    session optional pam_mkhomedir.so
    session required pam_limits.so
    session required pam_unix2.so
    session required pam_winbind.so
    session optional pam_umask.so

    Any comments would be greatly appreciated.

  2. #2
    Automatic reply NNTP User

    Re: Winbind / PAM insufficient restrictions

    sfolkmann,

    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.

    Has your issue been resolved? If not, you might try one of the following options:

    - Visit http://www.suse.com/support and search the knowledgebase and/or check all
    the other support options available.
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (http://forums.suse.com)

    Be sure to read the forum FAQ about what to expect in the way of responses:
    http://forums.suse.com/faq.php

    If this is a reply to a duplicate posting, please ignore and accept our apologies
    and rest assured we will issue a stern reprimand to our posting bot.

    Good luck!

    Your SUSE Forums Team
    http://forums.suse.com



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •