Re: Restricting physical login access to specific nodes using PAM / NSS / SMB4 AD/DC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Mon, Nov 3, 2014 at 12:34 PM, Barry Brimer <lists@xxxxxxxxxx> wrote:
>> I am using SSSD to get user AUTH from a backend Samba4 AD/DC.
>>
>> For Linux clients sssd.conf is configured to query Samba4 AD based on
>> LDAP/Kerberos i.e. the Linux clients have not done a Domain join.
>> Physical console logins -- things are working fine with changes to NSS
>> and PAM (tool authconfig) for domain User AUTH on Linux and Windows
>> clients.
>>
>> However, I want to restrict access to certain machines to users of a
>> specific group e.g. HR.  I guess this is possible on Windows clients
>> with group policies.
>> Is the same possible on CentOS (Linux) workstations.
>
>
> I am not familiar with the inner workings of SSSD, but with pam_listfile you
> can specify users or groups that must be met for pam to succeed.

Thanks.  This link [1] has a bit more details on the implementation (I
found it just after posting the query) for the files.
As for PAM <> SSSD interaction, with proper NSS config, the query
first goes to the Directory Server, failing which to 'local'
/etc/group.

[1] <http://www.cyberciti.biz/tips/howto-deny-allow-linux-user-group-login.html>

-- Arun Khan
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux