On 12/20/2010 11:17 AM, Eric A. Hall wrote: > > On 12/15/2010 4:19 PM, Eric A. Hall wrote: > >> First issue is that I would like to filter out the local (LABS) users and >> groups in winbind if possible.
> Anything else I could try? I experimented with pam_access a little bit but that did not work for two reasons--first is that it doesn't support wildcards or regex so no way to deny access to LABS.* username(s), and anyway it uses uid number instead of the login name and I needed to filter by name not number. In the process of debugging this I noticed that pam_winbind returns PAM_SYSTEM_ERR for users in the local domain, but the error was not being trapped as fatal by pam. I changed the common-auth config file so that pam_winbind was REQUIRED instead of SUFFICIENT and moved it to the end of the stack, and now the errors are trapped as fatal and login requests for users in the local domain are rejected. I think some kind of generalized allow_domains and reject_domains option statements for pam_winbind would be good to have. In the meantime my problem is resolved -- Eric A. Hall http://www.eric-a-hall.com/ Network Technology Research Group http://www.ntrg.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
