[Samba] restrict ssh login by Win2K AD group SOLVED!
Matt Herzog
msh at blisses.org
Tue Sep 19 19:19:36 GMT 2006
On Fri, Sep 15, 2006 at 05:35:06PM -0400, Matt Herzog wrote:
> Hello again.
>
> I'm hoping there is some way I can restrict ssh login through the AD to my
> Linux servers. I only have one group of users on the domain that needs ssh access.
>
> So far I see lots of ways to add or map or join Linux to Windows groups but
> I would rather be able to say:
"Permission denied" to all users but those in the AD group named
"Developers."
My boss found this page and solution almost immediately, demonstrating why
he's making the big bucks. Or something.
http://blogs.sun.com/tkblog/entry/integrating_linux_with_active_directory
All I needed to do is add the line:
account sufficient pam_succeed_if.so gid = 10003
to /etc/pam.d/sshd
It is that simple. Of course I'd like to have more than one group be able to
login so I'll dig into that presently.
--
Announcing your plans is a good way to hear the gods' laughter.
More information about the samba
mailing list