pam & winbindd

[Peter Huber <huber@xxxxxxxxx>]

I want to authenticate linux logins via winbind. Everything is running, so all 
ADS users can login. But I want only some users to log in, so I used a winbind 
feature called require_membership_of to restrict to a group. But this does not 
work and I think it is a pam config problem.
The log shows the following:

Apr 13 09:03:24 personal pam_winbind[7423]: pam_winbind: pam_sm_authenticate
Apr 13 09:03:29 personal pam_winbind[7423]: Verify user `testuser'
Apr 13 09:03:29 personal pam_winbind[7423]: CONFIG file: require_membership_of 
'nagios-user'
Apr 13 09:03:29 personal pam_winbind[7423]: CONFIG file: krb5_ccache_type 'FILE'
Apr 13 09:03:29 personal pam_winbind[7423]: enabling krb5 login flag
Apr 13 09:03:29 personal pam_winbind[7423]: enabling request for a FILE krb5 ccache
Apr 13 09:03:29 personal pam_winbind[7423]: no sid given, looking up: nagios-user
Apr 13 09:03:29 personal pam_winbind[7423]: user 'testuser' OK
Apr 13 09:03:29 personal pam_winbind[7423]: request failed: Logon failure, PAM 
error was Authentication failure (7), NT error was NT_STATUS_LOGON_FAILURE
Apr 13 09:03:29 personal pam_winbind[7423]: user `testuser' denied access 
(incorrect password or invalid membership)
Apr 13 09:03:29 personal pam_winbind[7423]: request returned KRB5CCNAME: 
FILE:/tmp/krb5cc_1002
Apr 13 09:03:29 personal pam_winbind[7423]: user 'testuser' OK
Apr 13 09:03:29 personal pam_winbind[7423]: user 'testuser' granted access
Apr 13 09:03:48 personal pam_winbind[7423]: pam_winbind: pam_sm_close_session 
handler
Apr 13 09:03:48 personal pam_winbind[7423]: username [testuser] obtained
Apr 13 09:03:48 personal pam_winbind[7423]: user 'testuser' OK

I realy dont understand why the testuser is authenticated and can login although 
there is a access denied (invalid membership).

Can you help me?

Thanks

Peter

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list