[Samba] locking down ssh when using winbind

[Philipoff, Andrew]

You can restrict access to specific local and domain groups:

#account    required     pam_stack.so service=system-auth
account    sufficient   pam_succeed_if.so user ingroup users
account    sufficient   pam_succeed_if.so user ingroup webdevelopers

Check here for more info:
http://linux.die.net/man/8/pam_succeed_if

Andrew Philipoff
Infrastructure Coordinator
Information Systems
Department of Medicine, UCSF


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Luv Linux
Sent: Wednesday, September 16, 2009 4:14 PM
To: samba at lists.samba.org
Subject: [Samba] locking down ssh when using winbind

Hi all,

I'm using samba with winbind which has been integrated with Active
Directory.
In the smb.conf file, I have
template shell = /bin/bash
winbind use default domain = yes

to allow ssh but I don't want all the domain users to be able to ssh.

Is there a way to only allow for example) domain\ssh_group which is an
active directory group to be able to ssh into the server?

This is my current pam.d/sshd file:
auth       required     pam_nologin.so
auth       sufficient     pam_stack.so service=system-auth
auth       sufficient   pam_winbind.so
account    sufficient     pam_stack.so service=system-auth
account    sufficient   pam_winbind.so
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3579 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20090916/78729e8c/attachment.bin>