[Samba] Restrict users from logging in: winbind

Matthew J. Salerno vagabond_king at yahoo.com
Mon Nov 2 13:43:44 MST 2009

I have my Redhat 5.4 linux server fully integrated into my companies AD.  The biggest issue I have is that I am using a rid backend which means that anyone with an AD account can log into the server.  So my quesiton is, how can I restrict server login via AD groups?  I have tried using pam with pam_listfile, but for some reason it does not work, I keep getting errors about sshd refusing the user.  I can use this config for su restrictions but not logins.

I keep getting the following error in /var/log/secure:

pam_listfile(sshd:auth): Refused user DOMAIN+user for service sshd

Does anyone have a working config I could model mine against?



/etc/pam.d/system-auth (Very first line)
auth            required        pam_listfile.so item=group sense=allow file=/etc/security/loginauthgrp.allow onerr=fail


More information about the samba mailing list