[Samba] locking down ssh when using winbind

Luv Linux luvlinux2009 at gmail.com
Thu Sep 17 16:57:50 MDT 2009 

Thanks for your help.
I got it working.  I've moved the "account    sufficient   pam_succeed_if.so
user ingroup  line" to the top and moved the "auth       include
 system-auth" to below it.  I've verified that the domain users not
belonging to the group could not ssh in while any Linux local users could.

On Thu, Sep 17, 2009 at 12:46 PM, Philipoff, Andrew <
aphilipoff at medicine.ucsf.edu> wrote:

> Your /etc/pam.d/sshd looks different from mine. I'm running RHEL 5.4 with
> the Red Hat compiled Samba v3.0.33-3.14.el5. My /etc/pam.d/sshd looks like:
>
> auth       include      system-auth
> account    required     pam_nologin.so
> #account    include      system-auth
> account    sufficient   pam_succeed_if.so user ingroup users
> account    sufficient   pam_succeed_if.so user ingroup webdevelopers
> password   include      system-auth
> session    optional     pam_keyinit.so force revoke
> session    include      system-auth
> session    required     pam_loginuid.so
>
> Once I got this working I did the following:
> 1. Created a /home/DOMAIN_NAME folder for home directories.
> 2. To auto-create home directories I checked the "create home directories
> on
> the first login" checkbox of the options tab of
> system-config-authentication. In previous RHEL releases I added "session
> required pam_mkhomedir.so skel=/etc/skel umask=0022" to
> /etc/pam.d/system-auth-ac to auto-create home directories in
> /home/DOMAIN_NAME.
>
> Andrew Philipoff
> Infrastructure Coordinator
> Information Systems
> Department of Medicine, UCSF
> Phone 415-476-1344
>
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of Luv Linux
> Sent: Thursday, September 17, 2009 10:44 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] locking down ssh when using winbind
>
> Yes I have.  I've also restarted smb and winbind but I'm still able to ssh
> in using other domain user accounts
> that are not in the specified group sshusers.
> Does my sshd file look to be correct?
>
> On Wed, Sep 16, 2009 at 9:30 PM, Philipoff, Andrew <
> aphilipoff at medicine.ucsf.edu> wrote:
>
> > You shouldn't need to define a domain, sshusers should be sufficient. Did
> > you restart sshd?
> >
> > Andrew Philipoff
> > Infrastructure Coordinator
> > Information Systems
> > Department of Medicine, UCSF
> >
> > ________________________________________
> > From: samba-bounces at lists.samba.org [samba-bounces at lists.samba.org] On
> > Behalf Of Luv Linux [luvlinux2009 at gmail.com]
> > Sent: Wednesday, September 16, 2009 6:16 PM
> > To: samba at lists.samba.org
> > Subject: Re: [Samba] locking down ssh when using winbind
> >
> > Thanks Andrew,
> >
> > The file didn't have the line = account    required     pam_stack.so
> > service=system-auth
> > so changed it to the following, group's name in AD is domain\sshusers btw
> > so
> > I'm not sure if I have to input it as domain\sshusers or sshusers.   But
> > doesn't seem to work...  What did I do wrong?:
> > #auth       required     pam_nologin.so
> > auth       sufficient     pam_stack.so service=system-auth
> > auth       sufficient   pam_winbind.so
> > account    sufficient   pam_succeed_if.so user ingroup sshusers
> > #account    sufficient     pam_stack.so service=system-auth
> > account    sufficient   pam_winbind.so
> > password   required     pam_stack.so service=system-auth
> > session    required     pam_stack.so service=system-auth
> > session    required     pam_loginuid.so
> >
> > On Wed, Sep 16, 2009 at 4:48 PM, Philipoff, Andrew <
> > aphilipoff at medicine.ucsf.edu> wrote:
> >
> > > You can restrict access to specific local and domain groups:
> > >
> > > #account    required     pam_stack.so service=system-auth
> > > account    sufficient   pam_succeed_if.so user ingroup users
> > > account    sufficient   pam_succeed_if.so user ingroup webdevelopers
> > >
> > > Check here for more info:
> > > http://linux.die.net/man/8/pam_succeed_if
> > >
> > > Andrew Philipoff
> > > Infrastructure Coordinator
> > > Information Systems
> > > Department of Medicine, UCSF
> > >
> > >
> > > -----Original Message-----
> > > From: samba-bounces at lists.samba.org [mailto:
> > samba-bounces at lists.samba.org]
> > > On Behalf Of Luv Linux
> > > Sent: Wednesday, September 16, 2009 4:14 PM
> > > To: samba at lists.samba.org
> > > Subject: [Samba] locking down ssh when using winbind
> > >
> > > Hi all,
> > >
> > > I'm using samba with winbind which has been integrated with Active
> > > Directory.
> > > In the smb.conf file, I have
> > > template shell = /bin/bash
> > > winbind use default domain = yes
> > >
> > > to allow ssh but I don't want all the domain users to be able to ssh.
> > >
> > > Is there a way to only allow for example) domain\ssh_group which is an
> > > active directory group to be able to ssh into the server?
> > >
> > > This is my current pam.d/sshd file:
> > > auth       required     pam_nologin.so
> > > auth       sufficient     pam_stack.so service=system-auth
> > > auth       sufficient   pam_winbind.so
> > > account    sufficient     pam_stack.so service=system-auth
> > > account    sufficient   pam_winbind.so
> > > password   required     pam_stack.so service=system-auth
> > > session    required     pam_stack.so service=system-auth
> > > session    required     pam_loginuid.so
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list