Why not set up a PAM config to deny selected users in the pam.d/authorization? You could use a pam_group option as one of many ways.
On Oct 20, 2016 11:17 AM, <[email protected]> wrote: > I'm looking for suggestions on separating authorization from > authentication under Mac OS-X (Sierra). > > I'm attempting to set up a new Mac, following a model that works very > well on our Linux desktops & servers: > > The NIS passwd table provides a list accounts that are > _authorized_ to use the department systems. NIS does not have > any passwords. > > Linux machines are joined to the Active Directory for > _authentication_. AD has a superset of the data in NIS, plus > passwords. > > Linux machines are configured via /etc/pam.d/system-auth and > /etc/nsswitch.conf to require a valid account for authorization > > Linux machines are configured using Kerberos > (/etc/pam.d/system-auth and /etc/krb5.conf) to use authentication > via krb5 as sufficient for logins (ie., if there's an account > in NIS, send the password to AD) > > The new Mac is bound to Active Directory, that's good, but currently > anyone in the AD can login to the machine. The Mac is also an NIS client, > and queries (ypcat) work fine, listing the users from NIS who should > be allowed access. Both AD and NIS are available in the Open Directory > GUI. So far, so good. > > The part I'm missing is how to configure Open Directory to do > _authorization_ lookups only from one data source (NIS) and > _authentication_ only from another (AD). > > Any suggestions? > > Thanks, > > Mark > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ >
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
