[Samba] Re: help with winbind and groups
td3201 at gmail.com
Sun Jul 12 16:37:03 MDT 2009
On Fri, Jul 10, 2009 at 11:34 PM, Terry<td3201 at gmail.com> wrote:
> I have winbind working well out of the box. However, I am having
> problems with using groups to restrict ssh access to the box. I have
> a feeling there are some tricks that I haven't thought of yet.
> Here is the relevant parts of smb.conf:
> workgroup = FOO
> password server = server.foo.local
> realm = FOO.LOCAL
> security = ads
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> template shell = /bin/bash
> winbind use default domain = no
> winbind offline logon = false
> winbind enum users = no
> winbind enum groups = yes
> winbind separator = +
> 1. 'getent group' works and shows this group (yes, it is a different
> domain through a trust):
> 2. I have this in sshd_config:
> AllowGroups root NARF+tdtest
> This works great! I can log in with NARF+joe_jel via ssh and life is
> good. However, I have a whole bunch of groups in AD that have spaces
> in them. I can see them fine in a 'getent group'. However, how can I
> restrict ssh access using these groups? I have tried quoting them in
> sshd_config but no luck. Any tricks here?
Anyone have some other ideas to get around the 'groups with spaces'
problem I am having here? Other programs like sudo allow me to escape
the spaces. SSH is being more problematic. Any thoughts?
More information about the samba