[Samba] locking down ssh when using winbind

Philipoff, Andrew aphilipoff at medicine.ucsf.edu
Thu Sep 17 13:46:21 MDT 2009


Your /etc/pam.d/sshd looks different from mine. I'm running RHEL 5.4 with
the Red Hat compiled Samba v3.0.33-3.14.el5. My /etc/pam.d/sshd looks like:

auth       include      system-auth
account    required     pam_nologin.so
#account    include      system-auth
account    sufficient   pam_succeed_if.so user ingroup users
account    sufficient   pam_succeed_if.so user ingroup webdevelopers
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

Once I got this working I did the following:
1. Created a /home/DOMAIN_NAME folder for home directories.
2. To auto-create home directories I checked the "create home directories on
the first login" checkbox of the options tab of
system-config-authentication. In previous RHEL releases I added "session
required pam_mkhomedir.so skel=/etc/skel umask=0022" to
/etc/pam.d/system-auth-ac to auto-create home directories in
/home/DOMAIN_NAME.

Andrew Philipoff
Infrastructure Coordinator
Information Systems
Department of Medicine, UCSF
Phone 415-476-1344


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Luv Linux
Sent: Thursday, September 17, 2009 10:44 AM
To: samba at lists.samba.org
Subject: Re: [Samba] locking down ssh when using winbind

Yes I have.  I've also restarted smb and winbind but I'm still able to ssh
in using other domain user accounts
that are not in the specified group sshusers.
Does my sshd file look to be correct?

On Wed, Sep 16, 2009 at 9:30 PM, Philipoff, Andrew <
aphilipoff at medicine.ucsf.edu> wrote:

> You shouldn't need to define a domain, sshusers should be sufficient. Did
> you restart sshd?
>
> Andrew Philipoff
> Infrastructure Coordinator
> Information Systems
> Department of Medicine, UCSF
>
> ________________________________________
> From: samba-bounces at lists.samba.org [samba-bounces at lists.samba.org] On
> Behalf Of Luv Linux [luvlinux2009 at gmail.com]
> Sent: Wednesday, September 16, 2009 6:16 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] locking down ssh when using winbind
>
> Thanks Andrew,
>
> The file didn't have the line = account    required     pam_stack.so
> service=system-auth
> so changed it to the following, group's name in AD is domain\sshusers btw
> so
> I'm not sure if I have to input it as domain\sshusers or sshusers.   But
> doesn't seem to work...  What did I do wrong?:
> #auth       required     pam_nologin.so
> auth       sufficient     pam_stack.so service=system-auth
> auth       sufficient   pam_winbind.so
> account    sufficient   pam_succeed_if.so user ingroup sshusers
> #account    sufficient     pam_stack.so service=system-auth
> account    sufficient   pam_winbind.so
> password   required     pam_stack.so service=system-auth
> session    required     pam_stack.so service=system-auth
> session    required     pam_loginuid.so
>
> On Wed, Sep 16, 2009 at 4:48 PM, Philipoff, Andrew <
> aphilipoff at medicine.ucsf.edu> wrote:
>
> > You can restrict access to specific local and domain groups:
> >
> > #account    required     pam_stack.so service=system-auth
> > account    sufficient   pam_succeed_if.so user ingroup users
> > account    sufficient   pam_succeed_if.so user ingroup webdevelopers
> >
> > Check here for more info:
> > http://linux.die.net/man/8/pam_succeed_if
> >
> > Andrew Philipoff
> > Infrastructure Coordinator
> > Information Systems
> > Department of Medicine, UCSF
> >
> >
> > -----Original Message-----
> > From: samba-bounces at lists.samba.org [mailto:
> samba-bounces at lists.samba.org]
> > On Behalf Of Luv Linux
> > Sent: Wednesday, September 16, 2009 4:14 PM
> > To: samba at lists.samba.org
> > Subject: [Samba] locking down ssh when using winbind
> >
> > Hi all,
> >
> > I'm using samba with winbind which has been integrated with Active
> > Directory.
> > In the smb.conf file, I have
> > template shell = /bin/bash
> > winbind use default domain = yes
> >
> > to allow ssh but I don't want all the domain users to be able to ssh.
> >
> > Is there a way to only allow for example) domain\ssh_group which is an
> > active directory group to be able to ssh into the server?
> >
> > This is my current pam.d/sshd file:
> > auth       required     pam_nologin.so
> > auth       sufficient     pam_stack.so service=system-auth
> > auth       sufficient   pam_winbind.so
> > account    sufficient     pam_stack.so service=system-auth
> > account    sufficient   pam_winbind.so
> > password   required     pam_stack.so service=system-auth
> > session    required     pam_stack.so service=system-auth
> > session    required     pam_loginuid.so
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3579 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20090917/c2436d25/attachment.bin>


More information about the samba mailing list