PAM - only allow domain group members to log on via ssh?
I want to allow only one group member from my domain to log in to my gentoo box. Having got the group id (15020), with my uderstanding of PAM, I've done:
domain authentication works fine from before, but it doesn't stop domain users not in the 15020 mapped group from logging in. I've done various permutations of these PAM rules but haven't hit the spot yet, can anyone recommend anything?
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account sufficient pam_succeed_if.so gid=15020
account required pam_winbind.so
account required pam_unix.so
password required pam_cracklib.so retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session sufficient pam_mkhomedir.so skel=/etc/skel/ umask=0077