rharmonson
commented
7 years ago Awesome and thank you.
I updated the article with a quoted of your information above. Very helpful.
Closed docsmooth closed 7 years ago
rharmonson
commented
7 years ago Awesome and thank you.
I updated the article with a quoted of your information above. Very helpful.
https://github.com/rharmonson/richtech/wiki/Centos-6.6-Minimal-&-Beyond-Trust's-Power-Broker-Identity-Services-aka-Likewise#sshd
The following options are more "PBIS-like" methods of doing the same thing:
rather than edit sshd_config to block domain^users, run "/opt/pbis/bin/config RequireMembershipOf nonexistentgroup". This will only allow members of "nonexistentgroup" to log into the box, which won't exist, so PBIS users will be effectively blocked.
Even better, however, is to simply NOT enable pam when you do the join:
domainjoin-cli join --disable pam domain.com username
now no PAM modifications will be done. The same can be done with "--disable ssh" and "--disable nsswitch". if you do all 3 of these, however, you'll need to have your software make direct calls into PBIS to find AD users, since they won't be exposed to the OS.
You can change these configurations live with: domainjoin-cli configure --enable
domainjoin-cli configure --disable
See the full list in domainjoin-cli --help and domainjoin-cli --help-internal.