search for: pam_access

Hi, I am having a strange problem, where I cannot get pam_access to work as intended. I have placed the following line in /etc/pam.d/system-auth account required /lib/security/pam_access.so Then, in /etc/security/access.conf, I have put the following line: -:mok:10.14.44.104 I.e. I should prevent myself from logging on from host 10.14.44.104. Howe...

Hi folks, I want to restrict root access via ssh to certain (internal) hosts. That is what pam_access.so is for, I thought, so I configured: in /etc/security/access.conf I added (nothing in there before): + : root : 192.168.123.0/24 10.72.0.0/16 - : root : ALL in /etc/pam.d/ssh I added at the end: account required pam_access.so Then I restarted the ssh server. Basically, this kinda works. Cron...

I just realised that pam_access no longer works under CentOS6 - or it works differently from CentOS5. Under CentOS5, I used this configuration to restrict access to root only: # cat /etc/security/access.conf + : root : ALL - : ALL : ALL # cat /etc/pam.d/system-auth-ac ... account required pam_access.so account re...

I've discoverd when I add the line pam_access for access authentication, It always denys a login, even when access.conf accepts everything. I've tested this with other programs, and they work okay. Any ideas?

Having a difficult problem getting my pam_access.so module enforced on a 3.0.22 version of Samba. Here is my /etc/pam.d/samba file: auth required pam_winbind.so debug account required pam_access.so account sufficient pam_winbind.so debug account include system-auth session include system-auth session req...

Hi, I've stumbled upon this problem while trying to limit access to specific machine to specific domain users. I did it by setting Samba to obey PAM restrictions, and then using the pam_access PAM module ('account' clause) to do user validation (described below). On Win2000, this works fine - if an unauthorized user tries to login, Win2000 says 'Account not permitted to login at this time' (or something along those lines), and disallows the login. But WinXP _allows...

Hi When I enable a box to do authentication using LDAP it breaks cron for users like jboss. I get the following in /var/log/secure Sep 14 15:25:01 exoipatest01 crond[7214]: pam_access(crond:account): access denied for user `jboss' from `cron' I have the following in /etc/ldap.conf nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,tomcat,radiusd,news,mailman,nscd,jboss /etc/pam.d/crond auth sufficient pam_env.so auth required pam_rootok.so a...

Hi, We're using Samba 2.2.2 as a PDC for W2k and XP clients. We have two types of users - "regular" users and "management". The problem I have is to allow only the "management" users to login from certain stations, and deny the login rights to regular users. That is, I need the ability do set per-station login permissions. Is there a way to do this using samba

...(only to machines which have the same installation). example: userA only login to ms-workstion1 userB login to ms-ws1,ms-ws2 userC login to ms-ws3,ms--ws4 userD only login to ms-ws4 i tried to configure a user restriction about PAM with 'pam_access.so' in /etc/pam.d/samba and its config file 'access.conf', but it didn't work. but restrictions for login,ssh, ftp etc. via PAM and 'pam_access.so' works. maybe i have to set some values for the users in LDAP, but i don't know what. the answer is probable quit easy, but...

...M authentication, I now want to restrict access to specified group(s). So I created a linuxadmins group and made some test users members of the group. Initially I tried to restrict access by modifying /etc/security/access.conf and adding a file to /usr/share/pam-configs containing Auth: required pam_access.so. This works OK for normal users, including AD users, but I cannot get it to work for AD groups. For example, I wanted to deny Domain Users, but allow linuxadmins. I have tried all variations eg DOMAIN\Domain Users, DOMAIN\\Domain Users, Domain Users, domain users; in quotes or not, wi...

...group to have access only from defined IP address. As I know this can be setup in sshd_config only for AllowUsers, but users in group are changed so I must use allowgroups instead of allowusers. I have modified /etc/pam.d/sshd #%PAM-1.0 auth include system-auth account required pam_access.so accessfile=/etc/security/access-sshd.conf account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so and setup acce...

...you can just add a line like: +:ALL:cron to /etc/security/access.conf and it will enable those cron jobs again. NOTE: this is only if you already have modified access.conf. if you haven't touched it, then you don't need to do anything. i just happened to notice: Oct 21 11:15:02 charon pam_access[27438]: access denied for user `root' from `cron' Oct 21 11:15:02 charon pam_access[27439]: access denied for user `cacti' from `cron' Oct 21 11:15:02 charon crond[27438]: Permission denied Oct 21 11:15:02 charon crond(pam_unix)[27438]: session closed for user root Oct 21 11:15:02 c...

...o specified group(s). So I created a linuxadmins group and > > made some test users members of the group. > > > > Initially I tried to restrict access by > > modifying /etc/security/access.conf and adding a file > > to /usr/share/pam-configs containing Auth: required pam_access.so. > > This works OK for normal users, including AD users, but I cannot get > > it to work for AD groups. For example, I wanted to deny Domain > > Users, but allow linuxadmins. I have tried all variations eg > > DOMAIN\Domain Users, DOMAIN\\Domain Users, Domain Users,...

...ly. On the specific machine (asterisk with hylafax and iaxmodem - works like a charm) pam works - I can switch to a different user, login by ssh with ad users a.s.o. - everything works, except hylafax auth :( I can also login with user created with hylafax itself. But when I put auth required    pam_access.so auth            sufficient              pam_ldap.so account         sufficient              pam_ldap.so password        sufficient              pam_ldap.so in /etc/pam.d/hylafax, I get Jan 25 08:28:40 voip1 HylaFAX[1560]: pam_ldap(hylafax:auth): conversation failed Jan 25 08:28:40 voip1 HylaF...

...o restrict > access to specified group(s). So I created a linuxadmins group and > made some test users members of the group. > > Initially I tried to restrict access by > modifying /etc/security/access.conf and adding a file > to /usr/share/pam-configs containing Auth: required pam_access.so. > This works OK for normal users, including AD users, but I cannot get > it to work for AD groups. For example, I wanted to deny Domain > Users, but allow linuxadmins. I have tried all variations eg > DOMAIN\Domain Users, DOMAIN\\Domain Users, Domain Users, domain > users;...

...jobs running. It looks to have started after the last krb5 updates - however this could be coincidence. $ cat crond # # The PAM configuration file for the cron daemon # # auth sufficient pam_rootok.so auth required pam_env.so auth include system-auth account required pam_access.so account include system-auth #session required pam_loginuid.so session include system-auth I commended out pam_loginuid.so - as I remember reading somewhere that this was the cause of this issue, however it hasn't made a difference this time... Does anyone have any insi...

win2k has cache too. So how it's different? Jooel > > Hi, > I've stumbled upon this problem while trying to limit access to > specific machine to specific domain users. I did it by setting Samba to > obey PAM restrictions, and then using the pam_access PAM module > ('account' clause) to do user validation (described below). > > On Win2000, this works fine - if an unauthorized user tries to > login, Win2000 says 'Account not permitted to login at this time' (or > something along those lines), and disallows th...

...0000-200000log file = /var/log/samba/%m.logmax log size = 50000 system-auth file #%PAM-1.0auth required pam_env.soauth sufficient pam_winbind.soauth sufficient pam_unix.so likeauth nullok use_first_passauth required pam_deny.so account required pam_access.soaccount sufficient pam_winbind.soaccount required pam_unix.soaccount sufficient pam_succeed_if.so uid < 500 quietaccount required pam_permit.so password requisite pam_cracklib.so retry=3password sufficient pam_unix.so nullok use_authtok md5 shadowpa...

...ed. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_winbind.so cached_login use_first_pass auth required pam_deny.so account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login account required pam_permit.so password...

Hi. I have some shares on a server that are offered to specific Active Directory user groups, but the business doesn't want those users to be able to login to the server. If I were to add "require_membership_of" to pam_winbind to limit logins and shut out the users I don't want, would it also have the side effect of denying those users access to the shares as well? Regards,