[Samba] restrict ssh login by Win2K AD group SOLVED!

Matt Herzog msh at blisses.org
Tue Sep 19 19:19:36 GMT 2006

On Fri, Sep 15, 2006 at 05:35:06PM -0400, Matt Herzog wrote:
> Hello again.
> I'm hoping there is some way I can restrict ssh login through the AD to my
> Linux servers. I only have one group of users on the domain that needs ssh access. 
> So far I see lots of ways to add or map or join Linux to Windows groups but
> I would rather be able to say: 

"Permission denied" to all users but those in the AD group named

My boss found this page and solution almost immediately, demonstrating why
he's making the big bucks. Or something.


All I needed to do is add the line:

account    sufficient   pam_succeed_if.so gid = 10003

to /etc/pam.d/sshd 

It is that simple. Of course I'd like to have more than one group be able to
login so I'll dig into that presently.

Announcing your plans is a good way to hear the gods' laughter.

More information about the samba mailing list