Linux

Winbind PAM.D AD 組,CentOS 5,只允許?

  • January 1, 2013

我正在嘗試創建一個配置,指定 AD 組中的使用者可以登錄。我無法阻止每個 AD 使用者登錄。雖然我一直在這樣做,/etc/pam.d/sshd/但是這樣的設置可以通過/etc/pam.d/login嗎?那不是更安全的選擇嗎?我也很不喜歡winbind,更喜歡 Kerberos+LDAP 方法,但不幸的是我現在無法切換。我很感激任何幫助,因為我已經閱讀了一段時間並且沒有找到可靠的方向。

這些是目前的 pam.d 配置文件,

/etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

/etc/pam.d/login

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    optional     pam_keyinit.so force revoke
session    required     pam_loginuid.so
session    include      system-auth
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open

/etc/pam.d/sshd

#%PAM-1.0
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
account    sufficient   pam_succeed_if.so user ingroup DOMAIN\Group_1
account    sufficient   pam_succeed_if.so user ingroup DOMAIN\Group_2
account    sufficient   pam_succeed_if.so user ingroup DOMAIN\Group_3
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

PAM Winbind,從這個文件配置,/etc/security/pam_winbind.conf.

要限制對指定組中的使用者的訪問,請添加此行 require_membership_of = [SID],[SID],[SID]

將 替換為[SID]正確的 AD 使用者或組 SID。您可以使用此命令找出為哪些使用者/組分配了哪些 SID。wbinfo -n [NAME]

替換[NAME]為指定的 AD 使用者或組名稱。

然而,這整個 winbind 情況不應該存在,因為您通常應該選擇傳統的 Kerberos+LDAP 方法。

引用自:https://unix.stackexchange.com/questions/45224