[Samba] locking down ssh when using winbind

Philipoff, Andrew aphilipoff at medicine.ucsf.edu
Wed Sep 16 22:30:12 MDT 2009


You shouldn't need to define a domain, sshusers should be sufficient. Did you restart sshd?

Andrew Philipoff
Infrastructure Coordinator
Information Systems
Department of Medicine, UCSF

________________________________________
From: samba-bounces at lists.samba.org [samba-bounces at lists.samba.org] On Behalf Of Luv Linux [luvlinux2009 at gmail.com]
Sent: Wednesday, September 16, 2009 6:16 PM
To: samba at lists.samba.org
Subject: Re: [Samba] locking down ssh when using winbind

Thanks Andrew,

The file didn't have the line = account    required     pam_stack.so
service=system-auth
so changed it to the following, group's name in AD is domain\sshusers btw so
I'm not sure if I have to input it as domain\sshusers or sshusers.   But
doesn't seem to work...  What did I do wrong?:
#auth       required     pam_nologin.so
auth       sufficient     pam_stack.so service=system-auth
auth       sufficient   pam_winbind.so
account    sufficient   pam_succeed_if.so user ingroup sshusers
#account    sufficient     pam_stack.so service=system-auth
account    sufficient   pam_winbind.so
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so

On Wed, Sep 16, 2009 at 4:48 PM, Philipoff, Andrew <
aphilipoff at medicine.ucsf.edu> wrote:

> You can restrict access to specific local and domain groups:
>
> #account    required     pam_stack.so service=system-auth
> account    sufficient   pam_succeed_if.so user ingroup users
> account    sufficient   pam_succeed_if.so user ingroup webdevelopers
>
> Check here for more info:
> http://linux.die.net/man/8/pam_succeed_if
>
> Andrew Philipoff
> Infrastructure Coordinator
> Information Systems
> Department of Medicine, UCSF
>
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of Luv Linux
> Sent: Wednesday, September 16, 2009 4:14 PM
> To: samba at lists.samba.org
> Subject: [Samba] locking down ssh when using winbind
>
> Hi all,
>
> I'm using samba with winbind which has been integrated with Active
> Directory.
> In the smb.conf file, I have
> template shell = /bin/bash
> winbind use default domain = yes
>
> to allow ssh but I don't want all the domain users to be able to ssh.
>
> Is there a way to only allow for example) domain\ssh_group which is an
> active directory group to be able to ssh into the server?
>
> This is my current pam.d/sshd file:
> auth       required     pam_nologin.so
> auth       sufficient     pam_stack.so service=system-auth
> auth       sufficient   pam_winbind.so
> account    sufficient     pam_stack.so service=system-auth
> account    sufficient   pam_winbind.so
> password   required     pam_stack.so service=system-auth
> session    required     pam_stack.so service=system-auth
> session    required     pam_loginuid.so
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list