How can I restrict logins to specific domain users in my Active Directory authentication setup in RHEL?

Solution Verified - Updated 7 Aug 2024

Environment

Red Hat Enterprise Linux 4,5 and 6
pam_access.so

Issue

How to restrict logins to specific Active Directory accounts in Red Hat Enterprise Linux?

Resolution

To restrict access to particular domain users, use the pam module pam_access.so.

Edit /etc/pam.d/system-auth and add the following account directive before the pam_winbind (or pam_ldap) account directive:

	account required pam_access.so  
	account [default=bad success=ok user_unknown=ignore] pam_winbind.so

Edit the /etc/security/access.conf file and specify the domain users who are allowed to login to the Red Hat Enterprise Linux machine. For example, to restrict access to only Active Directory(AD) domain users tom, dick and harry in the MYDOMAIN domain, add the entry:

	-:ALL except MYDOMAIN+tom MYDOMAIN+dick MYDOMAIN+harry root:ALL

This change will take effect immedately. Be aware that this will allow only these 3 users and the root user to login. Other local users or user accounts from other repositories (e.g. NIS) will not be allowed to login.

To allow all the users from a particular domain group,eg 'mygroup' to login, simply specify the group name:

	-:ALL except MYDOMAIN+mygroup root:ALL

In case if the user/group name contains white space (eg: ad user1), then add fieldsep option in pam_access.so module, and use the field separator to mention multiple users (by default pam_access module considers white space as field separators)

	account     required      pam_access.so fieldsep=,
	// access.conf entry
	+:ldap user1,ldap user2:ALL

Assumptions

Note the above example assumes(if winbind is used) the following /etc/samba/smb.conf settings:
```
  winbind use default domain = no  
  winbind separator = +
```
If "winbind use default domain = yes" then there is no need to specify 'MYDOMAIN+' as it is implied.
If RHEL6 is used, add pam_access entry to /etc/pam.d/password-auth file as well.
For more information about using the access.conf file please read the comments and examples contained within that file.

SBR

Identity Management

Product(s)

Red Hat Enterprise Linux

Components

samba

Category

Secure

Tags

active_directory

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.