John, When you say that you can log on as any AD user, do you mean using SSH? On our systems I use "pam_succeed_if.so user ingroup" in our /etc/pam.d/sshd files, see below:
auth include system-auth account required pam_nologin.so #account include system-auth account sufficient pam_succeed_if.so user ingroup local_admin_group account sufficient pam_succeed_if.so user ingroup active_directory_group password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so Note that I comment out "account include system-auth " and add a local admin group so as not to lock out local users. Andrew -----Original Message----- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of John P Arends Sent: Thursday, January 24, 2013 1:45 PM To: samba@lists.samba.org Subject: [Samba] require_membership_of is ignored I have a RHEL 6.3 machine successfully bound to AD using winbind, and commands like wbinfo -u and wbinfo -g output the users and groups. I can also log in as any AD user. The problem is, I can log on as any AD user. require_membership_of is being ignored. I can put in a valid group with no spaces in the name, a group by SID, and either way, everyone can log in. I've put this option in both /etc/pam.d/system-auth and /etc/security/pam_winbind.conf and any user can log in. Any suggestions, or advice on how I can better troubleshoot this? I'm not seeing anything in the logs that is helpful, but I may not be looking in the right place. I've asked a few other people who have told me "oh, that never works" but I can't imagine that is the case. Running 3.5.10-125.el6 by the way.. Thanks -John John Arends Senior Systems Engineer School of Communication Northwestern University 847-491-5789 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
