Table of Contents
Scope/Description
This article will outline how to restrict Domain User login when joined to a Active Directory.
Prerequisites
- Already joined a Active Directory
- See this article on how to join a Domain
Steps
- Open “/etc/security/pam_winbind.conf” for editing
vim /etc/security/pam_winbind.conf
- Add a membership entry specifying one or more SIDs:
- SIDs or group names should be separated by commas and no spaces. Do not create multiple
require_membership_oflines or only the last will be used.
- SIDs or group names should be separated by commas and no spaces. Do not create multiple
[global] require_membership_of=sid1,sid2,sid3
- Restart winbind
systemctl restart winbind
Verification
Try to login using the command below and confirm they can not connect:
su 'domain\user'
Troubleshooting
Views: 542