Results 1 to 2 of 2

Thread: Winbind / PAM insufficient restrictions

Hybrid View

  1. #1

    Winbind / PAM insufficient restrictions


    I have been trying to get my head around this for a while, but it seems like I am overseeing something.

    We started to configure this on SLES 11 SP3, and have it mitigated to SLES 12 as well.

    What I am seeing is that any valid AD member is allowed to logon to the servers, there are no restrictions.
    When we came up with this configuration I am sure it worked, but I might not remember correctly, or have tested it thoroughly enough.

    Here is the output of my PAM files:


    # 2014 - Configuration file modified for AD Authentication

    passwd: compat winbind
    group: compat winbind
    shadow: compat

    hosts: files dns
    networks: files dns

    services: files
    protocols: files
    rpc: files
    ethers: files
    netmasks: files
    netgroup: files nis
    publickey: files

    bootparams: files
    automount: files nis
    aliases: files


    # 2014 - Configuration file modified for AD Authentication
    account requisite
    account sufficient
    account required use_first_pass


    # 2014 - Configuration file modified for AD Authentication
    auth required
    auth sufficient
    auth required use_first_pass
    account [default=2 success=ignore] quiet uid >= 10000
    account [default=ignore success=1] user ingroup DOMAIN\dlg_delegate_servers_standard_admin_prod
    account [default=bad success=ignore] user ingroup DOMAIN\g1.servers_lcladmin.prod_standard_HOSTNAME


    # 2014 - Configuration file modified for AD Authentication
    password sufficient
    password requisite nullok cracklib
    password required use_authtok nullok


    # 2014 - Configuration file modified for AD Authentication
    session optional
    session required
    session required
    session required
    session optional

    Any comments would be greatly appreciated.

  2. #2
    Automatic reply NNTP User

    Re: Winbind / PAM insufficient restrictions


    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.

    Has your issue been resolved? If not, you might try one of the following options:

    - Visit and search the knowledgebase and/or check all
    the other support options available.
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (

    Be sure to read the forum FAQ about what to expect in the way of responses:

    If this is a reply to a duplicate posting, please ignore and accept our apologies
    and rest assured we will issue a stern reprimand to our posting bot.

    Good luck!

    Your SUSE Forums Team


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts