differentiating between domain and local users

Rupesh thakkar_rupesh at yahoo.com
Wed Apr 16 13:50:19 UTC 2008 

                      I am using Linux-PAM-0.99.3.0

1)Currently when I call pam_authenticate() it authenticates domain user when we set  PAM_USERNAME as "DOMAINNAME\username" or simply "username"
Is there any way so that pam_authenticate() will authenticate domain users only when  PAM_USERNAME is set in a formate "DOMAINNAME\username" ?

2)I need above requirements because in my application I need to differentiate between two users who has same user names ,one of them is local linux machine while other user belongs to Active directory domain and when I set PAM_USERNAME in the format where no Domain string is prefixed pam_authenticate() succeeds with both passwords(i.e password for domain user and password for local user).
I want , that in this paricular case, the authentication succeed only with local user password and not with domain password. 


Is the behaviour mentioned in point 1) as expected ? If  so  how can I achieve  requirement mentioned  in point 2).

 
             Below is PAM configuration file for my application
#%PAM-1.0
# Section 1:
# To enable authentication of local users only
#      - comment out all the lines in section 2
#      - uncomment the following 3 lines:
# auth       required     /lib/security/pam_stack.so  service=netatalk-auth
# account    required     /lib/security/pam_stack.so  service=netatalk-auth
# session    required     /lib/security/pam_stack.so  service=netatalk-auth
 
          # Section 2:
# Note: domain username must be entered as <domainname>\<username>
# To enable authentication of both local and domain users:
#    - comment out all the lines in section 1, and
#    - uncomment the following lines:
#
auth       sufficient           /lib/security/pam_unix.so nullok
auth       sufficient           /lib/security/pam_winbind.so use_first_pass
auth       required             /lib/security/pam_nologin.so
       auth       required             /lib/security/pam_deny.so
### account    sufficient               /lib/security/pam_succeed_if.so uid < 100
account    required             /lib/security/pam_unix.so
account    [default=bad success=ok user_unknown=ignore] /lib/security/pam_winbind.so
session    required             /lib/security/pam_limits.so
session    required             /lib/security/pam_unix.so  
 
       
---------------------------------
 Meet people who discuss and share your passions.  Join them now.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20080416/a926e68c/attachment.htm>

More information about the Pam-list mailing list