https://community.hpe.com/t5/operating-system-linux/restricting-access-to-linux-servers-after-connecting-to-active/m-p/5654905#M53663 <P>Greetings,</P><P>&nbsp;</P><P>I have successfully connected my RH 5.8 servers to AD using Winbind. The problem is now anyone in AD can connect to the RH server. I need to allow only web developers to connect from different offices around the world. An AD solution is unlikely.</P><P>&nbsp;</P><P>Fred</P> Fri, 11 May 2012 14:38:20 GMT Fred Abell 2012-05-11T14:38:20Z https://community.hpe.com/t5/operating-system-linux/restricting-access-to-linux-servers-after-connecting-to-active/m-p/5654905#M53663 <P>Greetings,</P><P>&nbsp;</P><P>I have successfully connected my RH 5.8 servers to AD using Winbind. The problem is now anyone in AD can connect to the RH server. I need to allow only web developers to connect from different offices around the world. An AD solution is unlikely.</P><P>&nbsp;</P><P>Fred</P> Fri, 11 May 2012 14:38:20 GMT https://community.hpe.com/t5/operating-system-linux/restricting-access-to-linux-servers-after-connecting-to-active/m-p/5654905#M53663 Fred Abell 2012-05-11T14:38:20Z https://community.hpe.com/t5/operating-system-linux/restricting-access-to-linux-servers-after-connecting-to-active/m-p/5656569#M53667 <P>In AD, your web developers are probably distinguishable by being members of a particular group. Or you could request the AD admins to create a group for the purpose. Having a separate group might be useful if you someday need to allow someone who is not a web developer to access the Linux servers, or you'll have a web developer which must not be allowed to access the Linux servers for some reason.</P><P>&nbsp;</P><P>That group should be automatically mapped to a Linux group by winbind: use that group in your access control configuration for all relevant services, so that the login attempt will be rejected if the user does not belong to that particular group.</P><P>&nbsp;</P><P>You could apply this either at the server level (for example, SSH has DenyGroups/AllowGroups directives available in /etc/ssh/sshd_config file), or at the PAM level using the pam_succeed_if module (see "man pam_succeed_if").</P><P>&nbsp;</P><P>Something like this at the appropriate location in /etc/pam.d/system-auth might be what you're looking for:</P><PRE>auth required pam_succeed_if.so user ingroup &lt;web_developers_group&gt;</PRE><P>&nbsp;Remember that the order of lines in PAM configuration files is meaningful.</P> Mon, 14 May 2012 07:52:17 GMT https://community.hpe.com/t5/operating-system-linux/restricting-access-to-linux-servers-after-connecting-to-active/m-p/5656569#M53667 Matti_Kurkela 2012-05-14T07:52:17Z https://community.hpe.com/t5/operating-system-linux/restricting-access-to-linux-servers-after-connecting-to-active/m-p/5657363#M53668 <P>MK,</P><P>&nbsp;</P><P>Thank you for responding. Unfortunately, there is no particular AD group to use. Users are scattered all over the world and isolating them via AD is impossible.</P><P>&nbsp;</P><P>Fred</P> Mon, 14 May 2012 15:39:15 GMT https://community.hpe.com/t5/operating-system-linux/restricting-access-to-linux-servers-after-connecting-to-active/m-p/5657363#M53668 Fred Abell 2012-05-14T15:39:15Z https://community.hpe.com/t5/operating-system-linux/restricting-access-to-linux-servers-after-connecting-to-active/m-p/5657659#M53669 <P>Having discussed this further, I think the AD way is the only way to restrict access.</P> Mon, 14 May 2012 22:24:56 GMT https://community.hpe.com/t5/operating-system-linux/restricting-access-to-linux-servers-after-connecting-to-active/m-p/5657659#M53669 Fred Abell 2012-05-14T22:24:56Z