[Samba] Re: help with winbind and groups

[Terry]

On Fri, Jul 10, 2009 at 11:34 PM, Terry<td3201 at gmail.com> wrote:
> Hello,
>
> I have winbind working well out of the box.  However, I am having
> problems with using groups to restrict ssh access to the box.  I have
> a feeling there are some tricks that I haven't thought of yet.
>
> Here is the relevant parts of smb.conf:
>   workgroup = FOO
>   password server = server.foo.local
>   realm = FOO.LOCAL
>   security = ads
>   idmap uid = 10000-20000
>   idmap gid = 10000-20000
>   template shell = /bin/bash
>   winbind use default domain = no
>   winbind offline logon = false
>   winbind enum users = no
>   winbind enum groups = yes
>   winbind separator = +
>
> 1. 'getent group' works and shows this group (yes, it is a different
> domain through a trust):
> NARF+tdtest:*:10521:NARF+joe_jel
>
> 2. I have this in sshd_config:
> AllowGroups     root NARF+tdtest
>
> This works great!  I can log in with NARF+joe_jel via ssh and life is
> good.   However, I have a whole bunch of groups in AD that have spaces
> in them.  I can see them fine in a 'getent group'.  However, how can I
> restrict ssh access using these groups?  I have tried quoting them in
> sshd_config but no luck. Any tricks here?
>
> Thanks!
>

Anyone have some other ideas to get around the 'groups with spaces'
problem I am having here?  Other programs like sudo allow me to escape
the spaces.  SSH is being more problematic.  Any thoughts?