Linux + Active directory authentication + only letting certain groups login

Solution 1:

Assuming the groups are available to the Linux system, I recommend editing /etc/security/access.conf for Ubuntu, RedHat distributions (and their forks) and probably a bunch of others. This doesn't require editing PAM files, and is a nicely standard place to do it. There are usually examples in the file, commented out.

Solution 2:

(I'm talking about samba 3 here, no experience on samba 4 now.)

There is no need to edit those /etc/pam.d/xxx files. pam_winbind.conf is the file you want, it is usually located at /etc/security/pam_winbind.conf.

It is the configuration file of pam_winbind module, and it works for both CentOS/Redhat and Debian/Ubuntu. You can read the man page of pam_winbind.conf for reference.

Here is an example file.

#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#

[global]

# turn on debugging
;debug = no

# turn on extended PAM state debugging
;debug_state = no

# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
cached_login = yes

# authenticate using kerberos
;krb5_auth = no

# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =

# make successful authentication dependend on membership of one SID
# (can also take a name)
# require_membership_of = SID,SID,SID
require_membership_of = S-1-5-21-4255311587-2195296704-2687208041-1794

# password expiry warning period in days
;warn_pwd_expire = 14

# omit pam conversations
;silent = no

# create homedirectory on the fly
mkhomedir = yes

Solution 3:

I currently use the AllowGroups directive in /etc/ssh/sshd_config to limit who's able to log in. Specify a one or more AD groups on that line, and those people will be the only ones able to log in.

Keep in mind that this only works if your users are only accessing the server remotely via ssh. If they're singing in locally, you'll need to find another solution.


Solution 4:

Yes, there are a few ways of doing this depending on what you're trying to accomplish exactly.

The first method can be done through the samba config. This will only allow these users to connect to Samba, other users can still login through other services (ssh, local term, etc). With this, you'll want to add a line to your [global] section in smb.conf:

valid users = @groupA @groupB

The other method is by modifying PAM rules. Different distributions have slight differences here, but generally speaking there are PAM rules per service as well as common rules, you can decide what is best. You'll want to add an account restriction using the pam_require module. An example on my laptop (Fedora 13) would be to modify the account section in /etc/pam.d/system-auth to:

account     required      pam_unix.so
account     required      pam_require.so @groupA @groupB
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

To simplify administration, you might want to create a new group in AD for the purpose of tracking users that can login to this server.