OK, we have this working now, thanks to Mike Friesenegger of SUSE... It's posted here in case others need something similar...
1) Samba, Winbind etc., need to have the latest patches from SUSE. Above the SLES 11 SP1 base. 2) If the AD group has spaces in its name then you will have to use the group's SID in place of the group's name. To find the group's SID from the linux system that has already joined the domain, type "wbinfo --name-to-sid='AD\it technical support' (where the AD\is the AD domain name) which will produce something that looks like: S-1-5-21-908518461-770907536-2395883247-1125 Domain Group (2) 3) Edit /etc/pam.d./common-auth (really a link to /etc/pam.d/common-auth-pc) 4) Add "require_membership_of=AD\\linuxadmins" (if group's name has no spaces) or "require_membership_of=S-1-5-21-908518461-770907536-2395883247-1125" (if group's name has spaces) to the end of "auth required pam_winbind.so use_first_pass" (Again the AD\ is the name of the AD domain.) 5) Save /etc/pam.d./common-auth 6) rcwinbind restart (not sure if this is needed but it does not hurt) That should allow any user in the selected group to login to the Linux system, but deny all other AD users. Thanks again to Mike (and a few others) at SUSE for all the pieces! Lee On 11/28/2011 12:00 PM, Lee Stewart wrote:
Hi... I have a customer with SLES 11 SP1.. They want logins authenticated by their Windoze Active Directory setup. OK, we set up NAT and use Yast / Network Services / Windows Domain Membership to join the AD domain, and have specified "Also Use SMB Information for Linux Authentication". Now they can login with their AD credentials. So far, so good... They also want to limit who can login to the sysprogs. There is an AD group that defines them, so we could use that but... Things like getent and wbinfo don't seem to return anything. (I can get the full list of users and groups, but not what groups this user is in.) I've seen tons of things in Google, and several that might work, but without being able to get the groups from AD, none work.. How have any of you found to limit AD logins? Thanks... Lee
-- Lee Stewart, Senior SE Sirius Computer Solutions Phone: (303) 996-7122 Email: [email protected] Web: www.siriuscom.com ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
