[Samba] ssh login through AD solution

Felipe Augusto van de Wiel felipe at paranacidade.org.br
Mon Sep 25 17:41:19 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Matt,

On 09/22/2006 01:24 PM, Matt Herzog escreveu:
> Thanks to Anthony Ciarochi at Centeris for this solution.
> 
> I have a Centos (Red Hat-based) server that is now accessible to AD users
> AND local users via ssh. I can control which AD groups can login using the
> syntax below. Red Hat-based distros use "pam_stack" in pam.d which is quite
> different than Debian's "include" based pam.d,
> 
> cat /etc/pam.d/sshd
> # ----------------------------------------------------------------------
> #%PAM-1.0
> auth       required     pam_stack.so service=system-auth
> auth       required     pam_nologin.so
> account    sufficient   pam_succeed_if.so user ingroup sshlogin
> account    sufficient   pam_succeed_if.so user ingroup wheel
> password   required     pam_stack.so service=system-auth
> session    required     pam_stack.so service=system-auth
> session    required     pam_loginuid.so
> session    sufficient   pam_mkhomedir.so skel=/etc/skel umask=0027
> # ----------------------------------------------------------------------
> 
> The critical lines are:
> 
>    account    sufficient   pam_succeed_if.so user ingroup sshlogin
> 
> The above is to allow an AD group "sshlogin" to ssh in.
> 
>    account    sufficient   pam_succeed_if.so user ingroup wheel
> 
> The above allows anyone in the *local machine* unix group "wheel" to ssh in.
> 
>    session    sufficient   pam_mkhomedir.so skel=/etc/skel umask=0027
> 
> The above creates home dirs and dot files for AD users when they login for
> the first time.


	Could you add that information to the wiki?

		http://wiki.samba.org


	Kind regards,

- --
Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFGBS+Cj65ZxU4gPQRArUBAKC9flCDxXXirUC9qeEeqnCSIT0WgACgsrIG
X7Llvj5ONPRoV9RsW2N6FVI=
=7vQ2
-----END PGP SIGNATURE-----

More information about the samba mailing list