Linux
Winbind PAM.D AD 組,CentOS 5,只允許?
我正在嘗試創建一個配置,指定 AD 組中的使用者可以登錄。我無法阻止每個 AD 使用者登錄。雖然我一直在這樣做,
/etc/pam.d/sshd/
但是這樣的設置可以通過/etc/pam.d/login
嗎?那不是更安全的選擇嗎?我也很不喜歡winbind
,更喜歡 Kerberos+LDAP 方法,但不幸的是我現在無法切換。我很感激任何幫助,因為我已經閱讀了一段時間並且沒有找到可靠的方向。這些是目前的 pam.d 配置文件,
/etc/pam.d/system-auth
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
/etc/pam.d/login
#%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session optional pam_keyinit.so force revoke session required pam_loginuid.so session include system-auth session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open
/etc/pam.d/sshd
#%PAM-1.0 auth include system-auth account required pam_nologin.so account include system-auth account sufficient pam_succeed_if.so user ingroup DOMAIN\Group_1 account sufficient pam_succeed_if.so user ingroup DOMAIN\Group_2 account sufficient pam_succeed_if.so user ingroup DOMAIN\Group_3 password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so
PAM Winbind,從這個文件配置,
/etc/security/pam_winbind.conf
.要限制對指定組中的使用者的訪問,請添加此行
require_membership_of = [SID],[SID],[SID]
將 替換為
[SID]
正確的 AD 使用者或組 SID。您可以使用此命令找出為哪些使用者/組分配了哪些 SID。wbinfo -n [NAME]
替換
[NAME]
為指定的 AD 使用者或組名稱。然而,這整個 winbind 情況不應該存在,因為您通常應該選擇傳統的 Kerberos+LDAP 方法。