Otdfbt

Simple fuzz pedal using breadboard

When and what was the first 3D acceleration device ever released?

How to Pin Point Large File eating space in Fedora 18

Employer demanding to see degree after poor code review

Find limit in use of integrals

the meaning of 'carry' in a novel

How strong are Wi-Fi signals?

Using credit/debit card details vs swiping a card in a payment (credit card) terminal

Website returning plaintext password

How to use " shadow " in pstricks?

Is neural networks training done one-by-one?

How to use Palladio font in text body but Computer Modern for Equations?

Is there some hidden joke behind the "it's never lupus" running gag in House?

What are the real benefits of using Salesforce DX?

Should one buy new hardware after a system compromise?

Count Even Digits In Number

Would jet fuel for an F-16 or F-35 be producible during WW2?

Where have Brexit voters gone?

Boss wants me to falsify a report. How should I document this unethical demand?

Is it true that cut time means "play twice as fast as written"?

What to do when you've set the wrong ISO for your film?

Computing the matrix powers of a non-diagonalizable matrix

Is the field of q-series 'dead'?

Pirate democracy at its finest

Allow only root and domain group to login on Linux server

Non-Domain IIS server authenticate on domain?Command line to list users in a Windows Active Directory group?windows server 2008 AD domain login failsInclude AD domain admins group in Linux sudoers?PBIS Open AD authentication stops working on ubuntu with errors: “user accout has expired” and “is your account locked?”Access denied trying to login to Ubuntu 14.04 (Authentication with Active Directory)Allow access to only certian AD Group users to IIS sitePowerBroker Open group listings and enumerationPowerBroker (PBIS) Restricted login list - couldn't resolve srvDomainUsers [40071]ERROR: 500048: Inappropriate authentication when running adtool to retrieve a user's attributes

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

2

I have successfully installed PBIS-open to authenticate against active directory. I also used the /opt/pbis/bin/config RequireMembershipOf command to allow a certain domain group to login.

I would now like to allow root, and the group(s) specified with the /opt/pbis/bin/config RequireMembershipOf command, and deny all other local users to login. Is there any way to do this?

active-directory authentication

share|improve this question

asked Aug 17 '15 at 7:21

mpmv2015mpmv2015

116

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  use Allowuser in /etc/ssh/sshd_config
  
  – c4f4t0r
  Aug 17 '15 at 8:47
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I also want to make sure only these users are allowed to logon directly on the server, so "Allowuser" is not an option in this case
  
  – mpmv2015
  Aug 17 '15 at 8:49
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  please when you talk about login, please tell how? ssh or console?
  
  – c4f4t0r
  Aug 17 '15 at 9:06
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I'm sorry, I'm talking about the console
  
  – mpmv2015
  Aug 17 '15 at 9:14
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  For your case, you can use pam_access and configure the file /etc/security/access.conf
  
  – c4f4t0r
  Aug 17 '15 at 9:34
  

  
  
  
  

 | 
show 8 more comments

2

I have successfully installed PBIS-open to authenticate against active directory. I also used the /opt/pbis/bin/config RequireMembershipOf command to allow a certain domain group to login.

I would now like to allow root, and the group(s) specified with the /opt/pbis/bin/config RequireMembershipOf command, and deny all other local users to login. Is there any way to do this?

active-directory authentication

share|improve this question

asked Aug 17 '15 at 7:21

mpmv2015mpmv2015

116

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  use Allowuser in /etc/ssh/sshd_config
  
  – c4f4t0r
  Aug 17 '15 at 8:47
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I also want to make sure only these users are allowed to logon directly on the server, so "Allowuser" is not an option in this case
  
  – mpmv2015
  Aug 17 '15 at 8:49
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  please when you talk about login, please tell how? ssh or console?
  
  – c4f4t0r
  Aug 17 '15 at 9:06
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I'm sorry, I'm talking about the console
  
  – mpmv2015
  Aug 17 '15 at 9:14
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  For your case, you can use pam_access and configure the file /etc/security/access.conf
  
  – c4f4t0r
  Aug 17 '15 at 9:34
  

  
  
  
  

 | 
show 8 more comments

I have successfully installed PBIS-open to authenticate against active directory. I also used the /opt/pbis/bin/config RequireMembershipOf command to allow a certain domain group to login.

I would now like to allow root, and the group(s) specified with the /opt/pbis/bin/config RequireMembershipOf command, and deny all other local users to login. Is there any way to do this?

active-directory authentication

share|improve this question

asked Aug 17 '15 at 7:21

mpmv2015mpmv2015

116

share|improve this question

asked Aug 17 '15 at 7:21

mpmv2015mpmv2015

116

share|improve this question

asked Aug 17 '15 at 7:21

mpmv2015mpmv2015

116

asked Aug 17 '15 at 7:21

mpmv2015mpmv2015

116

asked Aug 17 '15 at 7:21

mpmv2015mpmv2015

116

1 Answer
1

active

oldest

votes

0

If you would like to use pam_access in redhat and centos and so on, first you need to include the module in your pam configura as follow.

authconfig --update --enablepamaccess

Now you can configure which users that can use your server.

/etc/security/access.conf:

my example rules

+ : DOMAINadmins : ALL
+ : root : ALL
- : ALL : ALL

If you use DOMAIN sintax in front of the users and groups, that would say you are using winbind, for AD join, I'm using pam_ldap with sfu in the windows side, for this reason in my comments I don't use the domain.

Now you have configured Pam for the users access control, but Now you need to be sure that sshd is using pam,

grep "UsePAM" /etc/ssh/sshd_config
UsePAM yes

If the UsePAM isn't yes, you need to change this to yes and restart sshd service

share|improve this answer

answered Aug 17 '15 at 11:17

c4f4t0rc4f4t0r

3,90132133

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I can now only login with my root account. The domain group isn't working. I used PBIS-open to join the domain.
  
  – mpmv2015
  Aug 17 '15 at 11:26
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  sorry, but I don't see any logs of information about what you are doing, is realy hard to help you in this way, is better with start a chat, we can't continue to write comments.
  
  – c4f4t0r
  Aug 17 '15 at 11:29
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Ok, how do we start to chat? I'm kind of new here
  
  – mpmv2015
  Aug 17 '15 at 11:33
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f714619%2fallow-only-root-and-domain-group-to-login-on-linux-server%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

If you would like to use pam_access in redhat and centos and so on, first you need to include the module in your pam configura as follow.

authconfig --update --enablepamaccess

Now you can configure which users that can use your server.

/etc/security/access.conf:

my example rules

+ : DOMAINadmins : ALL
+ : root : ALL
- : ALL : ALL

If you use DOMAIN sintax in front of the users and groups, that would say you are using winbind, for AD join, I'm using pam_ldap with sfu in the windows side, for this reason in my comments I don't use the domain.

Now you have configured Pam for the users access control, but Now you need to be sure that sshd is using pam,

grep "UsePAM" /etc/ssh/sshd_config
UsePAM yes

If the UsePAM isn't yes, you need to change this to yes and restart sshd service

share|improve this answer

answered Aug 17 '15 at 11:17

c4f4t0rc4f4t0r

3,90132133

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I can now only login with my root account. The domain group isn't working. I used PBIS-open to join the domain.
  
  – mpmv2015
  Aug 17 '15 at 11:26
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  sorry, but I don't see any logs of information about what you are doing, is realy hard to help you in this way, is better with start a chat, we can't continue to write comments.
  
  – c4f4t0r
  Aug 17 '15 at 11:29
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Ok, how do we start to chat? I'm kind of new here
  
  – mpmv2015
  Aug 17 '15 at 11:33
  

  
  
  
  

add a comment | 

0

If you would like to use pam_access in redhat and centos and so on, first you need to include the module in your pam configura as follow.

authconfig --update --enablepamaccess

Now you can configure which users that can use your server.

/etc/security/access.conf:

my example rules

+ : DOMAINadmins : ALL
+ : root : ALL
- : ALL : ALL

If you use DOMAIN sintax in front of the users and groups, that would say you are using winbind, for AD join, I'm using pam_ldap with sfu in the windows side, for this reason in my comments I don't use the domain.

Now you have configured Pam for the users access control, but Now you need to be sure that sshd is using pam,

grep "UsePAM" /etc/ssh/sshd_config
UsePAM yes

If the UsePAM isn't yes, you need to change this to yes and restart sshd service

share|improve this answer

answered Aug 17 '15 at 11:17

c4f4t0rc4f4t0r

3,90132133

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I can now only login with my root account. The domain group isn't working. I used PBIS-open to join the domain.
  
  – mpmv2015
  Aug 17 '15 at 11:26
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  sorry, but I don't see any logs of information about what you are doing, is realy hard to help you in this way, is better with start a chat, we can't continue to write comments.
  
  – c4f4t0r
  Aug 17 '15 at 11:29
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Ok, how do we start to chat? I'm kind of new here
  
  – mpmv2015
  Aug 17 '15 at 11:33
  

  
  
  
  

add a comment | 

If you would like to use pam_access in redhat and centos and so on, first you need to include the module in your pam configura as follow.

authconfig --update --enablepamaccess

Now you can configure which users that can use your server.

/etc/security/access.conf:

my example rules

+ : DOMAINadmins : ALL
+ : root : ALL
- : ALL : ALL

If you use DOMAIN sintax in front of the users and groups, that would say you are using winbind, for AD join, I'm using pam_ldap with sfu in the windows side, for this reason in my comments I don't use the domain.

Now you have configured Pam for the users access control, but Now you need to be sure that sshd is using pam,

grep "UsePAM" /etc/ssh/sshd_config
UsePAM yes

If the UsePAM isn't yes, you need to change this to yes and restart sshd service

share|improve this answer

answered Aug 17 '15 at 11:17

c4f4t0rc4f4t0r

3,90132133

authconfig --update --enablepamaccess

/etc/security/access.conf:

+ : DOMAINadmins : ALL
+ : root : ALL
- : ALL : ALL

grep "UsePAM" /etc/ssh/sshd_config
UsePAM yes

share|improve this answer

answered Aug 17 '15 at 11:17

c4f4t0rc4f4t0r

3,90132133

answered Aug 17 '15 at 11:17

c4f4t0rc4f4t0r

3,90132133

answered Aug 17 '15 at 11:17

c4f4t0rc4f4t0r

3,90132133