pam.allow.groups

This configuration parameter specifies the groups allowed to access PAM-enabled applications. When this parameter is defined, only the listed groups are allowed access. All other groups are denied access.

Note:   This parameter does not support cross-forest groups. (Ref: CS-18659a)

If you want to use this parameter to control which users can log in based on group membership, the groups you specify should be valid Active Directory groups, but the groups you specify do not have to be enabled for UNIX. Local group membership and invalid Active Directory group names are ignored.

In most cases, you set this configuration parameter using group policy. You can, however, set it manually in the configuration file if you are not using group policy or want to temporarily override group policy.

If you use this parameter to control access by group name, the agent checks the Active Directory group membership for every user who attempts to use PAM-enabled applications on the host computer.

When a user attempts to log on or access a PAM-enabled service, the pam_centrifydc module checks with Active Directory to see what groups the user belongs to. If the user is a member of any Active Directory group specified by this parameter, the user is accepted and authentication proceeds. If the user is not a member of any group specified by this parameter, authentication fails and the user is rejected.

The parameter’s value can be one or more group names, separated by commas, or the file: keyword and a file location. For example, to allow only members of the administrators, sales, and engineering groups in Active Directory to log in:

pam.allow.groups: administrators,sales,engineering

You can use the short format of the group name or the full canonical name of the group.

To enter group names with spaces, enclose them in double quotes; for example:

pam.allow.groups: "domain admins",sales,"domain users"

To specify a file that contains a list of the groups allowed access, type the path to the file:

pam.allow.groups: file:/etc/centrifydc/groups.allow

If no group names are specified, no group filtering is performed.

If you make changes to this parameter, you should run adflush to clear the cache to ensure your changes take effect.

Specifying group names for computers joined to Auto Zone

If a computer is configured to use the Auto Zone instead of a specific zone, you should specify group names using the format defined by the auto.schema.name.format parameter. For example the auto.schema.name.format parameter can be set to the following:

  • SAM (default) uses the samAccountName attribute for the group—web_qa
  • SAM@domainName uses the samAccountName@domain_name format—web_qa@acme.com
  • NTLM uses the NTLM format and separator defined for adclient.ntlm.separatorsacme.com+web_qa

You can look in the centrifydc.conf configuration file for the value of auto.schema.name.format, or run adedit or adquery commands to see the UNIX name for any group. For example, to see the UNIX name for the Web_qa Active Directory group when the auto.schema.name.format parameter is set to SAM, you can execute a command similar to this to return the UNIX group profile name:

adquery group -n web_qa
webqa.us