[Samba] Winbind: limiting groups that can log-in

Gabriel Tabares-Barreiro gabriel.tabares-barreiro at ri3k.com
Thu Apr 26 10:08:01 GMT 2007


I am currently trying to configure AD (Windows 2003) + Linux (CentOS
4.4) to allow user logins for certain users, namely, developers.

The winbind authentication part of it is working correctly, but every
user in AD can login to the servers via ssh.

I have tried to limit users by adding 

valid_users = @"domain+developers" (+ is the separator) 

on /etc/samba/smb.conf, but this does not seem to work for

As a workaround, I can limit access to groups by adding 

account required pam_listfile.so file=/etc/samba/allowed_groups
item=group sense=allow onerr=fail

to pam.d/sshd (/etc/samba/allowed_groups contains "developers"), but it
does not seem to get the group from AD, so no remote users can login.

Is there any way to map windows groups to unix groups without
installing SFU? I only want to map one group, so getting the data
directly from AD shouldn't be a problem.



This e-mail and its attachments are confidential. If you are not the intended recipient of this e-mail message, please telephone or e-mail us immediately, delete this message from your system and do not read, copy, distribute, disclose or otherwise use this e-mail message and any attachments. 

Although RI3K believes this e-mail and any attachments to be free of any virus or other defect which may affect your computer, it is the responsibility of the recipient to ensure that it is virus free and RI3K does not accept any responsibility for any loss or damage in any way from its use.

RI3K Limited is a company registered in England no: 3909745.  Registered office 10, Ely Place, London, EC1N 6RY.   VAT registration no: 769 0192 07

RI3K Asia Pte Ltd is a company registered in Singapore no. 200100326R.    Registered address 50, Raffles Place, #24-05 Singapore Land Tower, Singapore 048623

More information about the samba mailing list