[Samba] help with winbind and groups

Terry td3201 at gmail.com
Fri Jul 10 22:34:35 MDT 2009


I have winbind working well out of the box.  However, I am having
problems with using groups to restrict ssh access to the box.  I have
a feeling there are some tricks that I haven't thought of yet.

Here is the relevant parts of smb.conf:
   workgroup = FOO
   password server = server.foo.local
   realm = FOO.LOCAL
   security = ads
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   template shell = /bin/bash
   winbind use default domain = no
   winbind offline logon = false
   winbind enum users = no
   winbind enum groups = yes
   winbind separator = +

1. 'getent group' works and shows this group (yes, it is a different
domain through a trust):

2. I have this in sshd_config:
AllowGroups     root NARF+tdtest

This works great!  I can log in with NARF+joe_jel via ssh and life is
good.   However, I have a whole bunch of groups in AD that have spaces
in them.  I can see them fine in a 'getent group'.  However, how can I
restrict ssh access using these groups?  I have tried quoting them in
sshd_config but no luck. Any tricks here?


More information about the samba mailing list