$ more /etc/pam.d/screensaver
# screensaver: auth account
auth optional pam_krb5.so use_first_pass use_kcminit
auth required pam_opendirectory.so use_first_pass nullok
account required pam_opendirectory.so
#account sufficient pam_self.so
account required pam_group.so no_warn group=DOMAIN\AD-Group Name fail_safe
#required pam_group.so no_warn deny group=admin,wheel ruser fail_safe
Once the screensaver kicks in, press Option-Return to bring up both Name and Password fields. Then anyone in that Domain\AD-Group Name can unlock the screensaver.
The second to last line enabled the members of the AD group referenced to unlock the screensaver. So anyone with Admin rights AND members of that AD group can unlock the screensaver.
The pam_self.so line appears to allow the current/local user the ability to unlock the screen saver. For me, it was ONLY the AD group that can unlock the screensaver. Not even the current user. Those were the requirements!
NOTE: in the /etc/pam.d directory are config files for other services that can be configured the same way! Just always make a backup before playing!
UPDATE: Instead of putting the AD group in teh pam.d file, I've created a local group, and then added the AD group as a member of that using the following command
/usr/sbin/dseditgroup -o edit -a "DOMAIN\AD Group" -t group localgroup..And that's had good success. I've also had to create a local user on the machine and add that to my localgroup. 
No comments:
Post a Comment