pam.allow.users

This configuration parameter specifies the users who are allowed to access PAM-enabled applications. When this parameter is defined, only the listed users are allowed access. All other users are denied access.

If you want to use this parameter to control which users can log in, the users you specify should be valid Active Directory users that have a valid UNIX profile for the local computer’s zone. If you specify local user accounts or invalid Active Directory user names, these entries are ignored.

In most cases, you set this configuration parameter using group policy. You can, however, set it manually in the configuration file if you are not using group policy or want to temporarily override group policy.

If you specify one or more users with this parameter, user filtering is performed for all PAM-enabled applications on the host computer.

When a user attempts to log on or access a PAM-enabled service, the pam_centrifydc module checks the users specified by this parameter to see if the user is listed there. If the user is included in the list, the user is accepted and authentication proceeds. If the user is not listed, the user is rejected.

The parameter value can be one or more user names, separated by commas, or the file: keyword and a file location. For example:

pam.allow.users: root,joan7,bbenton
pam.allow.groups: administrators,sales,engineering

You can use the short format of the user name or the full canonical name of the user.

To enter user names with spaces, enclose them in double quotes; for example:

pam.allow.users: "sp1 user@acme.com",joan@acme.com,"sp2 user@acme.com"

To specify a file that contains a list of the users allowed access, type the path to the file:

pam.allow.users: file:/etc/centrifydc/users.allow

If no user names are specified, then no user filtering is performed.

If you make changes to this parameter, you should run adflush to clear the cache to ensure

Specifying user names for computers joined to Auto Zone

If a computer is configured to use the Auto Zone instead of a specific zone, you should specify user names using the format defined by the auto.schema.name.format parameter. For example the auto.schema.name.format parameter can be set to the following:

  • SAM (default) uses the samAccountName attribute for the user—jcool
  • SAM@domainName uses the samAccountName@domain_name format—jcool@acme.com
  • NTLM uses the NTLM format and separator defined for adclient.ntlm.separatorsacme.com+jcool

You can look in the centrifydc.conf configuration file for the value of auto.schema.name.format parameter or run adedit or adquery commands to see the UNIX name for any user. For example, to see the UNIX name for the jcool Active Directory user when the auto.schema.name.format parameter is set to SAM, you can execute a command similar to this to return the UNIX user profile name:

adquery user -n jcool