pam.deny.groups

This configuration parameter specifies the groups that should be denied access to PAM-enabled applications. When this parameter is defined, only the listed groups are denied access. All other groups are allowed access.

This parameter does not support cross-forest groups. (Ref: CS-18659a)

If you want to use this parameter to control which users can log in based on group membership, the groups you specify should be valid Active Directory groups, but the groups you specify do not need to be enabled for UNIX. Local group membership and invalid Active Directory group names are ignored.

In most cases, you set this configuration parameter using group policy. You can, however, set it manually in the configuration file if you are not using group policy or want to temporarily override group policy.

When a user attempts to log on or access a PAM-enabled service, the pam_centrifydc module checks with Active Directory to see which groups the user belongs to. If the user is a member of any Active Directory group specified by this parameter, the user is denied access and authentication fails. If the user is not a member of any group specified by this parameter, authentication succeeds and the user is logged on.

The parameter’s value can be one or more group names, separated by commas or spaces, or the file: keyword and a file location. For example, to prevent all members of the vendors and azul groups in Active Directory from logging on:

pam.deny.groups: vendors,azul

You can use the short format of the group name or the full canonical name of the group.

To enter group names with spaces, enclose them in double quotes; for example:

pam.deny.groups: "domain admins",sales,"domain users"

To specify a file that contains a list of the groups that should be denied access:

pam.deny.groups: file:/etc/centrifydc/groups.deny

If a computer is configured to use Auto Zone without a zone, enter group names in the format specified by the auto.schema.name.format parameter:

• SAM (samAccountName — this is the default); for example: finance_admins

• samAccountName@domain_name; for example: finance_admins@acme.com

• NTLM; for example: acme.com+finance_admins

You can look in the centrifydc.conf configuration file for the value of auto.schema.name.format, or run adquery group -n to see the UNIX name for any group. For example, to see the UNIX name for the Finance_Admins group (and SAM, the default, is set for auto.schema.name.format), execute the following command, which returns the UNIX name as shown:

[root]#adquery group -n Finance_Admins
finance_admins

If this parameter is not defined in the configuration file, no group filtering is performed.

If you make changes to this parameter, you should run adflush to clear the cache to ensure your changes take effect.