Hello,
i configured rhel linux 6 with AD directory to authorize windows users to connect on the system and it works.
i have accounts with high privileges (oracle for example) if an account is created on the AD server i would to block him.
I looked for how to do, for the moment all the examples used group on the Ad server but i would like to manage this from linux server. Do you have an idea ?
Regards,
Vincenzo
How are you connected to Active Directory? Are you using sssd auth? If so, you can use a value in /etc/sssd/sssd.conf:
allow_simple_groups = onlythisone, orthisgroup/
If you are using nscd/nslcd which use a more traditional ldap method, there's an option somewhere for your ldap search string. You can write a query that matches just the groups or users you want to allow.
Hi,
Thanks bgstack15 for your answer.
i use sssd , the allow_simple_group use groups from the AD or local group ?
Vincent
Finally i found the solution
modify both files /etc/pam.d/system-auth-ac as well as /etc/pam.d/password-auth-ac
Add for the user test this line
auth requisite pam\_succeed_if.so user != test
Put the line like below:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth requisite pam_succeed_if.so user != test <-- The entry should be added here.
Vincenzo