Red Hat Knowledgebase

Release Found: Red Hat Enterprise Linux 3 and 4

To restrict access to particular domain users, use the pam module pam_access.so.

Edit /etc/pam.d/system-auth and add the following account directive before the winbind account directive:

account required /lib/security/$ISA/pam_access.so
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so

Edit the /etc/security/access.conf file and specify the domain users who are allowed to login to the Red Hat Enterprise Linux machine. For example, to restrict access to Active Directory(AD) domain users tom, dick and harry in the MYDOMAIN domain, add the entry:

-:ALL except MYDOMAIN\tom MYDOMAIN\dick MYDOMAIN\harry:ALL

Be aware that this will allow only these 3 users and the root user to login. Even local users or user accounts from other repositories (e.g. NIS) will not be allowed to login.

Note also that explicitly specifying MYDOMAIN is only required if "winbind use default domain = no" is set in the /etc/samba/smb.conf file. If "winbind use default domain = yes" then there is no need to specify MYDOMAIN as it is implied.

For more information about using the access.conf file please read the comments and examples contained within that file.