Using Active Directory groups to control access to Linux services

Recently I published an article on how to Integrate Unix into Active Directory while maintaining UNIX style security using Samba and OpenLDAP outlining the configuration setting up OpenLDAP to do ID mapping between Unix and Active Directory as well as how to configure the client to authenticate to Active Directory and obtaining user and group UID and GID from OpenLDAP.

Now lets discuss how to take advantage of using Active Directory to control access to client and server services.

1. PAM (Plug able Authentication module)

By default when bound to Active Directory any Active Directory user can log into the workstation/Server console or Graphical Desktop environment. Depending on the role and content stored on the workstation/server System Administrators might want to restrict access to only a controlled group leveraging Active Directory for controlled and simplified management.

System Administrators might want to leverage Active Directory to grant access only to some services such as SHH and FTP to users or groups to provide simplified management and controlled access. PAM makes this happen.

PAM provides authentication to application interfaces such as SSH, FTP, Graphical desktop environments (WDM), as well as the UNIX console. All modern UNIX and Linux operating systems support PAM. To control access to certain services these modules will have to be modified.

This document will go over a few services to provide as an example on how to modify PAM modules to properly secure access to services. These settings can be configured on either a workstation or a server.

1.2 Restrict access to GDM, Console, and SSH to a domain group

1.2.2 Active Directory group

Create security groups for each service you want to control access. How you want to define your groups is up to you. You can have parent groups and then nested groups in parent groups. This is ideal if you want to have a security group per data center/site for local site administrators and then have your Enterprise Unix Admin group a member of the data center group to provide global support; create a security group per host and have nested groups to grant access to different support groups; or have a security group per host and then grant security groups for different FTP sites hosted on the host to allow FTP user access. These are just a few examples and the options are up to you. You can state more than one group if you do not want to have nested groups in groups. You are not restricted.

In this document we will create groups pasted on host access. When creating a group ensure the group does not have any spaces. Example JIMMNIX01-console where jimmnix01 is the host name of the client.

1.2.3 Restrict Console

  1. To restrict access to the console modify /etc/pam.d/login with the following changes:

    1. Comment out the following lines using a (#) before each line:

#auth sufficient pam_unix.so use_first_pass

#account sufficient pam_winbind.so

#account required pam_stack.so service=system-auth

2. Add account sufficient pam_succeed_if.so user ingroup DomainGroup (where DomainGroup is the group you created in Active Directory)

Example: account sufficient pam_succeed_if.so user ingroup wheel


3. To grant another group add another line with account sufficient pam_succeed_if.so user ingroup DomainGroup2 (where DomainGroup2 is the second group you created in Active Directory)

4. Add account sufficient pam_succeed_If.so user ingroup wheel

Example: account sufficient pam_succeed_if.so user ingroup jimmnix01-console

1.2.4 Restrict SSH

  1. To restrict access to ssh modify /etc/pam.d/sshd and replace all contents with the contents below changing DomainGroup with the security group created in Active Directory.

auth required pam_stack.so service=system-auth

auth required pam_nologin.so

account sufficient pam_succeed_if.so user ingroup DomainGroup

account sufficient pam_succeed_if.so user ingroup wheel

password required pam_stack.so service=system-auth

session required pam_stack.so service=system-auth

session required pam_loginuid.so

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

1.2.5 Restrict WDM (Windows Desktop Manager)

  1. To restrict access to the graphical logon manager modify /etc/pam.d/gdm and comment out the following:

#auth include system-auth

#account include system-auth

#session include system-auth

2. Add the following lines:

auth required pam_stack.so service=system-auth

account sufficient pam_succeed_if.so user ingroup DomainGroup account sufficient pam_succeed_if.so user ingroup wheel

password required pam_stack.so service=system-auth

session required pam_stack.so service=system-auth

3. Change DomainGroup with the group you created in Active Directory)

Example: account sufficient pam_succeed_if.so user ingroup jimmnix01-console

4. To grant another group add another line with account sufficient pam_succeed_if.so user ingroup DomainGroup2 (where DomainGroup2 is the second group you created in Active Directory)

1.2.5 Restrict FTP and other services

In other services such as FTP changing auth include system-auth and session include system-auth to required pam_stack.so service=system-auth and modifying account include system-auth to sufficient pam_succeed_if.so user ingroup DomainGroup (where DomainGroup is a group you created in Active Directory) will restrict access to only the security group created.

Example:

auth required pam_stack.so service=system-auth

account sufficient pam_succeed_if.so user ingroup FTPUsers account sufficient pam_succeed_if.so user ingroup wheel

password required pam_stack.so service=system-auth

session required pam_stack.so service=system-auth

More by this Author


Comments 9 comments

MikeM 6 years ago

great article Jim thanks!


Omar Ramos 5 years ago

it work on Suse?


Jimmt 5 years ago

Yes I have done this on RHE and Suse Linux. I primarily a SUSE user.


Omar Ramos 5 years ago

I am trying on Suse 11 sp1 on s390x, with gid works, but I would like to have it on group names, because, is more flexible. I have only, common-account module on pam.d directory, how I download module to have the system-auth module, or i have to create them? thanks for you help.


Omar Ramos 5 years ago

this is my vanilla or default configuration

mytest:/etc/pam.d # cat gdm

#%PAM-1.0

auth include common-auth

account include common-account

password include common-password

session required pam_loginuid.so

session include common-session

mytest:/etc/pam.d #


Omar Ramos 5 years ago

It seem that the version of pam is lower that the version you posted.


Omar Ramos 5 years ago

I an already resolve the issue, this is my configuration that works

amqu1:/etc/pam.d # cat gdm

#%PAM-1.0

auth include common-auth

#account include common-account I comment this line

account sufficient pam_succeed_if.so user ingroup mydomain\linux_sysadmin I add this line and it works.

password include common-password

session required pam_loginuid.so

session include common-session

amqu1:/etc/pam.d # cat sshd

#%PAM-1.0

auth requisite pam_nologin.so

auth include common-auth

account sufficient pam_succeed_if.so user ingroup mydomain\linux_sysadmin add this line

account requisite pam_nologin.so

#account include common-account comment on this line

password include common-password

session required pam_loginuid.so

session include common-session


Omar Ramos 5 years ago

Great Article


Diego 4 years ago

Hey, Nice article.

I have a doubt, if you can help me...

- I want to be able to login Local Linux Account and by Active Directory. In case of my AD is offline...

- I want to be able just login Local Unix Account, just some users..

Any idea?

Thanks anyway.

    Sign in or sign up and post using a HubPages Network account.

    0 of 8192 characters used
    Post Comment

    No HTML is allowed in comments, but URLs will be hyperlinked. Comments are not for promoting your articles or other sites.


    Click to Rate This Article
    working