Winbind PAM.D AD 组,CentOS 5,仅允许?

tag-icon tag-icon linux centos samba pam active-directory
Winbind PAM.D AD 组,CentOS 5,仅允许?

我正在尝试创建一个配置,指定 AD 组中的用户可以登录。我无法阻止每个 AD 用户登录。虽然我一直在这样做,/etc/pam.d/sshd/但是这样的设置可以通过吗/etc/pam.d/login?这不是一个更安全的选择吗?我也很不喜欢winbind,更喜欢 Kerberos+LDAP 方法,但不幸的是我现在无法切换。我感谢任何帮助,因为我已经阅读了一段时间但没有找到可靠的方向。

这些是当前的 pam.d 配置文件,

/etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

/etc/pam.d/login

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    optional     pam_keyinit.so force revoke
session    required     pam_loginuid.so
session    include      system-auth
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open

/etc/pam.d/sshd

#%PAM-1.0
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
account    sufficient   pam_succeed_if.so user ingroup DOMAIN\Group_1
account    sufficient   pam_succeed_if.so user ingroup DOMAIN\Group_2
account    sufficient   pam_succeed_if.so user ingroup DOMAIN\Group_3
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

答案1

PAM Winbind 是从此文件/etc/security/pam_winbind.conf.

要限制对指定组中的用户的访问,请添加此行 require_membership_of = [SID],[SID],[SID]

将 替换[SID]为正确的 AD 用户或组 SID。您可以使用此命令找出哪些用户/组分配了哪些 SID。wbinfo -n [NAME]

替换[NAME]为指定的 AD 用户或组名称。

然而,整个 winbind 情况不应该存在,因为您通常应该选择传统的 Kerberos+LDAP 方法。

答案2

这可能是一种替代方案,但在 Windows DC 上,您可以安装适用于 Unix 的身份管理。然后对于每个用户,您可以右键单击>转到Unix属性,并通过设置登录shell from/bin/shell/bin/bashto来设置他们是否可以登录/bin/false

您还需要在 /etc/samba/smb.conf 文件中添加一行:

winbind nss info = rfc2307

希望有人会觉得这很有用!

相关内容