We've got some RHEL 5 servers joined to AD using Winbind/Kerberos which is working well overall.
I've specified an AD security group in PAM to restrict which domain users can login.
auth requisite pam_succeed_if.so user ingroup ad_group debug
I've also specified the same group in sudoers so they can attain root access.
%ad_group ALL=(ALL) ALL
These work as expected.
However, I've noticed that "su -" will allow me to become a domain user that is not in the security group.
Let's say jdoe is not in the "ad_group":
[kernelpanic@server01 ~]$ sudo su - jdoe [sudo] password for user: Creating directory '/home/jdoe'. Creating directory '/home/jdoe/.mozilla'. Creating directory '/home/jdoe/.mozilla/plugins'. Creating directory '/home/jdoe/.mozilla/extensions'. [jdoe@server01 ~]$
Here's the /var/log/secure output:
Oct 25 09:42:42 server01 su: pam_unix(su-l:session): session opened for user jdoe by kernelpanic(uid=0) Oct 25 09:43:53 server01 su: pam_unix(su-l:session): session closed for user jdoe
Is there a way to restrict users from an "su -" to a domain user who is not allowed to login to the box in the first place?