[Samba] locking down ssh when using winbind

Luv Linux luvlinux2009 at gmail.com
Thu Sep 17 11:43:54 MDT 2009 

Yes I have.  I've also restarted smb and winbind but I'm still able to ssh
in using other domain user accounts
that are not in the specified group sshusers.
Does my sshd file look to be correct?

On Wed, Sep 16, 2009 at 9:30 PM, Philipoff, Andrew <
aphilipoff at medicine.ucsf.edu> wrote:

> You shouldn't need to define a domain, sshusers should be sufficient. Did
> you restart sshd?
>
> Andrew Philipoff
> Infrastructure Coordinator
> Information Systems
> Department of Medicine, UCSF
>
> ________________________________________
> From: samba-bounces at lists.samba.org [samba-bounces at lists.samba.org] On
> Behalf Of Luv Linux [luvlinux2009 at gmail.com]
> Sent: Wednesday, September 16, 2009 6:16 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] locking down ssh when using winbind
>
> Thanks Andrew,
>
> The file didn't have the line = account    required     pam_stack.so
> service=system-auth
> so changed it to the following, group's name in AD is domain\sshusers btw
> so
> I'm not sure if I have to input it as domain\sshusers or sshusers.   But
> doesn't seem to work...  What did I do wrong?:
> #auth       required     pam_nologin.so
> auth       sufficient     pam_stack.so service=system-auth
> auth       sufficient   pam_winbind.so
> account    sufficient   pam_succeed_if.so user ingroup sshusers
> #account    sufficient     pam_stack.so service=system-auth
> account    sufficient   pam_winbind.so
> password   required     pam_stack.so service=system-auth
> session    required     pam_stack.so service=system-auth
> session    required     pam_loginuid.so
>
> On Wed, Sep 16, 2009 at 4:48 PM, Philipoff, Andrew <
> aphilipoff at medicine.ucsf.edu> wrote:
>
> > You can restrict access to specific local and domain groups:
> >
> > #account    required     pam_stack.so service=system-auth
> > account    sufficient   pam_succeed_if.so user ingroup users
> > account    sufficient   pam_succeed_if.so user ingroup webdevelopers
> >
> > Check here for more info:
> > http://linux.die.net/man/8/pam_succeed_if
> >
> > Andrew Philipoff
> > Infrastructure Coordinator
> > Information Systems
> > Department of Medicine, UCSF
> >
> >
> > -----Original Message-----
> > From: samba-bounces at lists.samba.org [mailto:
> samba-bounces at lists.samba.org]
> > On Behalf Of Luv Linux
> > Sent: Wednesday, September 16, 2009 4:14 PM
> > To: samba at lists.samba.org
> > Subject: [Samba] locking down ssh when using winbind
> >
> > Hi all,
> >
> > I'm using samba with winbind which has been integrated with Active
> > Directory.
> > In the smb.conf file, I have
> > template shell = /bin/bash
> > winbind use default domain = yes
> >
> > to allow ssh but I don't want all the domain users to be able to ssh.
> >
> > Is there a way to only allow for example) domain\ssh_group which is an
> > active directory group to be able to ssh into the server?
> >
> > This is my current pam.d/sshd file:
> > auth       required     pam_nologin.so
> > auth       sufficient     pam_stack.so service=system-auth
> > auth       sufficient   pam_winbind.so
> > account    sufficient     pam_stack.so service=system-auth
> > account    sufficient   pam_winbind.so
> > password   required     pam_stack.so service=system-auth
> > session    required     pam_stack.so service=system-auth
> > session    required     pam_loginuid.so
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list