<div dir="ltr">HI<div><br></div><div>i have compiled the pam_access modules successfuly and copied access.conf to /etc/security folder.</div><div><br></div><div>i included </div><div><br></div><div><div>other account required pam_access.so</div></div><div><br></div><div> and added </div><div><div>-:ben ben@infra.com:ALL</div></div><div><br></div><div>but still user ben can able to access the machine</div><div><br></div><div>anyone achieved this?</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 24, 2015 at 9:19 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">Ben .T.George wrote:<br> > please anyone share bit more information on this like real example<br> <br> </span>As we've said many times before, we have very little real experience on<br> Solaris. We do the best we can and sometimes that is going to be in the<br> form of bread crumbs that may be usable to finding your way to a solution.<br> <br> Access control via PAM is a very-well understood problem on Solaris.<br> Once you have users and groups via nss then IPA is largely out of the<br> equation. The OS vendor or Solaris-specific groups will know how to do<br> this far better than us.<br> <br> If you find a detailed answer I'd be happy to add it to the freeIPA wiki.<br> <br> rob<br> <br> ><br> <span class="im HOEnZb">> On Tue, Mar 24, 2015 at 9:03 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br> </span><span class="im HOEnZb">> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>> wrote:<br> ><br> > Dmitri Pal wrote:<br> > > On 03/24/2015 01:15 PM, Ben .T.George wrote:<br> > >> Hi<br> > >><br> > >> current stage is AD users can able to login to solaris box. But i<br> > >> don't up to what level i can control the user.<br> > >><br> > >> i don't think to there is much pan modules in solaris. still i cannot<br> > >> able to make home directory with pam.<br> > ><br> > > I think pam_groupdn (if available on Solaris) might help but I could not<br> > > find a clear example to share with you here.<br> ><br> > I'd suggest looking at pam_access.<br> ><br> > rob<br> ><br> > ><br> > >><br> > >><br> > >><br> > >> On Tue, Mar 24, 2015 at 4:42 PM, Dmitri Pal <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>><br> </span><div class="HOEnZb"><div class="h5">> >> <mailto:<a href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>> wrote:<br> > >><br> > >> On 03/24/2015 07:20 AM, Ben .T.George wrote:<br> > >>> HI<br> > >>><br> > >>> i am using IPA 3.3 and my client is solaris 10.<br> > >>><br> > >>> how can i give only some set of users to this client without<br> > >>> creating user group in ad?<br> > >>><br> > >>> thanks & Regards,<br> > >>> Ben<br> > >>><br> > >>><br> > >><br> > >> You can create a group in IPA and make Solaris check that<br> > group at<br> > >> the access phase of PAM if Solaris is capable of checking groups<br> > >> this way.<br> > >><br> > >> --<br> > >> Thank you,<br> > >> Dmitri Pal<br> > >><br> > >> Sr. Engineering Manager IdM portfolio<br> > >> Red Hat, Inc.<br> > >><br> > >><br> > >> --<br> > >> Manage your subscription for the Freeipa-users mailing list:<br> > >> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> > >> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br> > >><br> > >><br> > ><br> > ><br> > > --<br> > > Thank you,<br> > > Dmitri Pal<br> > ><br> > > Sr. Engineering Manager IdM portfolio<br> > > Red Hat, Inc.<br> > ><br> > ><br> > ><br> ><br> ><br> <br> </div></div></blockquote></div><br></div>