When integrating Linux systems with Active Directory authentication via Samba+Winbind, you'll often need to restrict access beyond just valid AD credentials. Production environments typically require granular control - allowing only sysadmin groups or department-specific users to log in while blocking others with valid domain accounts.
The key lies in modifying the Pluggable Authentication Modules (PAM) stack. Here's a tested configuration for /etc/pam.d/system-auth on RHEL/CentOS systems:
auth required pam_env.so auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass auth required pam_deny.so auth [success=2 default=ignore] pam_succeed_if.so user ingroup DOMAIN\\Admins quiet auth [success=1 default=ignore] pam_succeed_if.so user ingroup DOMAIN\\DevOps quiet auth required pam_deny.so
For SSH restrictions, modify /etc/ssh/sshd_config:
AllowGroups DOMAIN\\Admins DOMAIN\\DevOps PasswordAuthentication yes ChallengeResponseAuthentication yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes
Ensure your /etc/samba/smb.conf contains these critical parameters in the [global] section:
winbind use default domain = yes winbind offline logon = yes winbind enum users = yes winbind enum groups = yes
After configuration, test with these commands:
# Verify AD group membership wbinfo --group-info="DOMAIN\\Admins" # Test authentication su - DOMAIN\\testuser # Check PAM debugging (in separate terminal) tail -f /var/log/secure
- Always keep a root SSH session open when testing auth changes
- Use
getent groupto verify winbind group synchronization - Check
/var/log/messagesand/var/log/samba/log.winbinddfor errors - Remember Windows group names are case-sensitive in the Linux context
For managing multiple servers, here's an Ansible snippet to deploy consistent PAM configurations:
- name: Configure restricted AD authentication
blockinfile:
path: /etc/pam.d/system-auth
block: |
auth required pam_env.so
auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth required pam_deny.so
auth [success=2 default=ignore] pam_succeed_if.so user ingroup {{ ad_admin_group }} quiet
auth [success=1 default=ignore] pam_succeed_if.so user ingroup {{ ad_devops_group }} quiet
auth required pam_deny.so
marker: "# {mark} ANSIBLE MANAGED BLOCK - AD AUTH"
When integrating Linux systems with Active Directory via Samba and Winbind, all authenticated AD users typically gain access by default. This occurs because the standard configuration in /etc/security/pam_winbind.conf and /etc/samba/smb.conf doesn't implement group-based restrictions.
We'll need to modify three critical configuration files:
1. /etc/security/pam_winbind.conf
2. /etc/pam.d/system-auth
3. /etc/samba/smb.conf
First, edit /etc/security/pam_winbind.conf to add group restrictions:
[global]
# Only allow these AD groups to authenticate
require_membership_of = "DOMAIN\\AllowedGroup1","DOMAIN\\AllowedGroup2"
cached_login = yes
krb5_auth = yes
For PAM configuration, modify /etc/pam.d/system-auth:
auth required pam_env.so
auth sufficient pam_winbind.so use_first_pass require_membership_of=DOMAIN\\AllowedGroup
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
Update /etc/samba/smb.conf with proper ID mapping and domain settings:
[global]
workgroup = DOMAIN
security = ads
realm = DOMAIN.COM
idmap config * : backend = tdb
idmap config * : range = 10000-99999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 100000-999999
winbind use default domain = yes
winbind offline logon = yes
winbind nested groups = yes
For SSH access control, create or modify /etc/ssh/sshd_config:
AllowGroups DOMAIN\\AllowedGroup1 DOMAIN\\AllowedGroup2
Match Group DOMAIN\\AdminGroup
PermitRootLogin no
AllowTcpForwarding yes
After making changes, test your configuration:
# Verify AD connectivity
wbinfo -t
# Check user group membership
wbinfo --user-domgroups DOMAIN\\username
# Test authentication
su - DOMAIN\\testuser
If users can't authenticate:
1. Check /var/log/secure for PAM errors
2. Verify time synchronization between AD and Linux
3. Ensure proper DNS resolution
4. Check SELinux context if enabled:
audit2allow -a -w