[Samba] Restricting AD group logging on to Servers

Andrew Bartlett abartlet at samba.org
Fri Dec 1 18:20:22 UTC 2017 

On Fri, 2017-12-01 at 18:04 +0000, Roy Eastwood via samba wrote:
> > -----Original Message-----
> > From: Rowland Penny [mailto:rpenny at samba.org]
> > Sent: 01 December 2017 17:40
> > To: samba at lists.samba.org
> > Cc: Roy Eastwood
> > Subject: Re: [Samba] Restricting AD group logging on to Servers
> > 
> > On Fri, 1 Dec 2017 17:06:42 -0000
> > Roy Eastwood via samba <samba at lists.samba.org> wrote:
> > 
> > > Hi,
> > > I have a Debian Stretch system running a self-compiled version 4.7.3
> > > of Samba.     Having followed the Samba WiKi to allow AD users to log
> > > onto the servers using PAM authentication, I now want to restrict
> > > access to specified group(s).   So I created a linuxadmins group and
> > > made some test users members of the group.
> > > 
> > > Initially I tried to restrict access by
> > > modifying /etc/security/access.conf and adding a file
> > > to /usr/share/pam-configs containing Auth: required pam_access.so.
> > > This works OK for normal users, including AD users, but I cannot get
> > > it to work for AD groups.   For example, I wanted to deny Domain
> > > Users, but allow linuxadmins.     I have tried all variations eg
> > > DOMAIN\Domain Users, DOMAIN\\Domain Users, Domain Users, domain
> > > users;    in quotes or not, with () as per the man page but cannot
> > > get this to work - ie no matter what I enter all AD users are allowed
> > > to log in (using SSH).
> > > 
> > > Searching the net I found reference to the pam_winbind.conf file
> > > in /etc/security.    This did not exist, so I created a file
> > > containing the line: require_membership_of=DOMAIN\\linuxadmins   but
> > > this has no effect.   The man pages for pam_winbind and
> > > pam_winbind.conf indicate it has been built for Samba v4.7 but states
> > > "is correct for version 3 of Samba".   So I assume it's no longer
> > > used for version 4?
> > > 
> > > On member servers, setting the user's shell to /bin/false in the Unix
> > > Attributes tab of ADUC will prevent access, but this doesn't work for
> > > the DCs as this value is ignored.
> > > 
> > > So how can this be done?
> > > 
> > > Many thanks,
> > > 
> > > Roy
> > > 
> > > 
> > 
> > try adding the 'require_membership_of' line to the winbind auth line in
> > PAM.
> > 
> > Rowland
> 
> Thanks Rowland, that did the trick and is the simplest solution.   
> 
> Found that only one \ was required to separate the domain part from the group name part - ie DOMAIN\linuxadmins rather than
> DOMAIN\\linuxadmins.   (the man page for pam_winbind.conf suggests two \\ are needed)

Just one thing on that.  Remember that this is not checked by SSH for
authorized_keys based logins, it is run on the password checking path
only.  As long as they can't add such keys (no home dir) that is fine,
but just be aware.

I take it you have set a template shell and that is why you have access
at all? 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list