Operating System - Linux
1829581 Members
3946 Online
109992 Solutions
New Discussion

Restricting Access to Linux Servers after connecting to Active Directory

 
SOLVED
Go to solution
Fred Abell
Occasional Advisor

Restricting Access to Linux Servers after connecting to Active Directory

Greetings,

 

I have successfully connected my RH 5.8 servers to AD using Winbind. The problem is now anyone in AD can connect to the RH server. I need to allow only web developers to connect from different offices around the world. An AD solution is unlikely.

 

Fred

3 REPLIES 3
Matti_Kurkela
Honored Contributor
Solution

Re: Restricting Access to Linux Servers after connecting to Active Directory

In AD, your web developers are probably distinguishable by being members of a particular group. Or you could request the AD admins to create a group for the purpose. Having a separate group might be useful if you someday need to allow someone who is not a web developer to access the Linux servers, or you'll have a web developer which must not be allowed to access the Linux servers for some reason.

 

That group should be automatically mapped to a Linux group by winbind: use that group in your access control configuration for all relevant services, so that the login attempt will be rejected if the user does not belong to that particular group.

 

You could apply this either at the server level (for example, SSH has DenyGroups/AllowGroups directives available in /etc/ssh/sshd_config file), or at the PAM level using the pam_succeed_if module (see "man pam_succeed_if").

 

Something like this at the appropriate location in /etc/pam.d/system-auth might be what you're looking for:

auth required pam_succeed_if.so user ingroup <web_developers_group>

 Remember that the order of lines in PAM configuration files is meaningful.

MK
Fred Abell
Occasional Advisor

Re: Restricting Access to Linux Servers after connecting to Active Directory

MK,

 

Thank you for responding. Unfortunately, there is no particular AD group to use. Users are scattered all over the world and isolating them via AD is impossible.

 

Fred

Fred Abell
Occasional Advisor

Re: Restricting Access to Linux Servers after connecting to Active Directory

Having discussed this further, I think the AD way is the only way to restrict access.