Linux PAM pam_succeed_if.so

view story

http://serverfault.com – I've specified an AD security group in PAM to restrict which domain users can login. I've also restricted sessions for AD users to this group. This prevents a logged in user from doing an "su -" to an AD user outside of the group. The Winbind uid mapping is configured so that AD users have UID >= 10000000. These work as expected with the PAM configuration below. /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so user ingroup AD_group debug auth requisite pam_succe (HowTos)