[Samba] SSH - Winbind and Keybased Auth

Andrew Bartlett abartlet at samba.org
Thu Dec 5 13:20:27 MST 2013

On Thu, 2013-11-28 at 07:50 +0000, Nathan Frankish wrote:
> Hi Team,
> We have a weird issue that we are trying to understand. We have winbind set up and working successfully for user authentication with passwords via ssh. We have pam.d/system-auth-ac and password-auth-ac (symlinked) set to require membership of a group which works great via password authentication.
> However, if the user has a ssh key set up, they seem to bypass the group membership requirement. The user isnt defined on the box in either shadow or passwd, they are only defined in AD, but are successfully able to authenticate as shown in the log below.
> Some logs below:]: Accepted publickey for nathan from port 61767 ssh2
> System-auth-ac:
> [root at testbox01 pam.d]# cat system-auth-ac
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth sufficient /lib/security/$ISA/pam_winbind.so debug debug_state use_first_pass require_membership_of=testbox02_access_sg, testbox02_2_access_sg
> auth required /lib/security/$ISA/pam_deny.so
> account required /lib/security/$ISA/pam_unix.so
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> account required /lib/security/$ISA/pam_winbind.so debug debug_state require_membership_of= testbox_access_sg,testbox02_2_access_sg
> account required /lib/security/$ISA/pam_permit.so

> Not sure where to go next, or what else to provide.

Can you confirm the above text is verbatim, or have extra spaces been

The other issues remain as I described, but I noticed the extra spaces
when re-examining the issue and wanted to confirm before I proceeded.
(They would make the configuration invalid, I hope). 

Also, did some tool generate this configuration, or did you just do it
based on the manpage?  I'm trying to evaluate the possible impact of
making this directive illegal for the account module. 


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list