6

I'm taking the samba / winbind / PAM route to authenticate users on our linux servers from our Active Directory domain.

Everything works, but I want to limit what AD groups are allowed to authenticate. Winbind / PAM currently allows any enabled user account in the active directory, and pam_winbind.so doesn't seem to heed the require_membership_of=MYDOMAIN\\mygroup parameter. Doesn't matter if I set it in the /etc/pam.d/system-auth or /etc/security/pam_winbind.conf files.

How can I force winbind to honor the require_membership_of setting? Using CentOS 5.5 with up-to-date packages.

Update: turns out that PAM always allows root to pass through auth, by virtue of the fact that it's root. So as long as the account exists, root will pass auth. Any other account is subjected to the auth constraints.

Update 2: require_membership_of seems to be working, except for when the requesting user has the root uid. In that case, the login succeeds regardless of the require_membership_of setting. This is not an issue for any other account. How can I configure PAM to force the require_membership_of check even when the current user is root?

Current PAM config is below:

auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account sufficient pam_winbind.so
account sufficient pam_localuser.so
account required pam_unix.so broken_shadow

password ..... (excluded for brevity)

session required pam_winbind.so
session required pam_mkhomedir.so skel=/etc/skel umask=0077
session required pam_limits.so
session required pam_unix.so

require_memebership_of is currently set in the /etc/security/pam_winbind.conf file, and is working (except for the root case outlined above).

Kenaniah
  • 213
  • 1
  • 3
  • 8
  • We've done a PoC at work using Likewise Open, including how to only allow logons from specific AD groups. I'll take a look in the morning and post here. – ThatGraemeGuy Nov 10 '10 at 22:25
  • I'm not sure what your update has to do with the original question? The update seems to suggest that you are trying to block the local root account from logging in, is that correct? If not, can you clarify? – ThatGraemeGuy Nov 11 '10 at 07:24
  • @Graeme Question updated. – Kenaniah Nov 18 '10 at 00:16

5 Answers5

1

Disclaimer: You probably shouldn't try to require_membership_of for root. Is there ever a case where root should not be able to login? You risk not being able to repair this machine without rebooting into single mode if something goes wrong (like its network going down).

I'll answer anyway.

TL;DR: If you want to enforce membership even for local users (root included), replace the first sufficient with a requisite.


require_membership_of is only used in pam_winbind.c in pam_sm_chauthtok (involved in the management group password) and pam_sm_authenticate (involved in the management group auth).

So if a user does not have the membership you require, the PAM step that will fail looks like:

auth [...] pam_winbind.so [...]

You do have one, but it's marked as sufficient:

auth sufficient pam_winbind.so

So if it fails, PAM will keep going through its chain. Next stop:

auth sufficient pam_unix.so nullok try_first_pass

This one will succeed, if getent passwd root returns a valid user, getent shadow root (ran as root) returns a valid encrypted password, and the password entered by the user matches.

I won't walk you through the rest, but nothing else will prevent root from logging in.

I would refer you to pam.d(5) for more information about the general PAM configuration mechanism, pam_unix(8) & co for the various modules.

Pierre Carrier
  • 2,607
  • 17
  • 28
  • `root` authenticates thanks to `pam_unix.so` as you pointed out. My specific issue is that if I'm already root, trying to login as another user (using `su - DOMAIN\\username`) completely skips the `require_membership_of` check as long as the account exists. Is there any way to fix this? – Kenaniah Jul 19 '12 at 18:37
  • We'd have to review your `su` PAM configuration. That sounds like another question, though :) – Pierre Carrier Jul 20 '12 at 12:57
0

You may have better luck referring to the group by SID.

Look up the SID for a group:

wbinfo -n "mygroup"

Then set require_membership_of using the SID (determined from wbinfo)

require_membership_of=S-1-5-21-1757981276-1399067357-839522115-75638
elijahbuck
  • 450
  • 1
  • 3
  • 8
0

In our setup this is restricted by the following line in the file /etc/security/pam_lwidentity.conf:

require_membership_of = OURDOMAIN\domain^admins
ThatGraemeGuy
  • 15,314
  • 12
  • 51
  • 78
0

In this situation, I cheated and used pam_access instead of banging my head further against pam_winbind.

Handyman5
  • 5,177
  • 25
  • 30
0

Can you use the global catalog port of your AD server? speaks LDAP protocol, probably on port 3268 (or 3269 for encrypted ldaps).

I find it's easier, faster, and far more reliable to use the ldap auth & nsswitch modules than winbind, and also (as suggested by Handyman5 above), use pam_access and edit /etc/security/access.conf to control who is allowed to login.

cas
  • 6,653
  • 31
  • 34