[Samba] require_membership_of is ignored

John P Arends jarends at northwestern.edu
Thu Jan 24 15:24:34 MST 2013


I want to make sure if someone also gets local console access somehow they still can't get in. That's my concern with just making changes to how sshd authenticates.

(I know nearly nothing about PAM.)

On Jan 24, 2013, at 4:21 PM, "Philipoff, Andrew" <aphilipoff at medicine.ucsf.edu> wrote:

> John,
> 
> When you say that you can log on as any AD user, do you mean using SSH? On our systems I use "pam_succeed_if.so user ingroup" in our /etc/pam.d/sshd files, see below:
> 
> auth       include      system-auth
> account    required     pam_nologin.so
> #account    include      system-auth
> account    sufficient   pam_succeed_if.so user ingroup local_admin_group
> account    sufficient   pam_succeed_if.so user ingroup active_directory_group
> password   include      system-auth
> session    optional     pam_keyinit.so force revoke
> session    include      system-auth
> session    required     pam_loginuid.so
> 
> Note that I comment out "account include system-auth " and add a local admin group so as not to lock out local users.
> 
> Andrew
> 
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of John P Arends
> Sent: Thursday, January 24, 2013 1:45 PM
> To: samba at lists.samba.org
> Subject: [Samba] require_membership_of is ignored
> 
> I have a RHEL 6.3 machine successfully bound to AD using winbind, and commands like wbinfo -u and wbinfo -g output the users and groups. I can also log in as any AD user.
> 
> The problem is, I can log on as any AD user.
> 
> require_membership_of is being ignored. I can put in a valid group with no spaces in the name, a group by SID, and either way, everyone can log in.
> 
> I've put this option in both /etc/pam.d/system-auth and /etc/security/pam_winbind.conf and any user can log in.
> 
> Any suggestions, or advice on how I can better troubleshoot this? I'm not seeing anything in the logs that is helpful, but I may not be looking in the right place.
> 
> I've asked a few other people who have told me "oh, that never works" but I can't imagine that is the case.
> 
> Running  3.5.10-125.el6 by the way..
> 
> Thanks
> 
> -John
> 
> John Arends
> Senior Systems Engineer
> School of Communication
> Northwestern University 
> 847-491-5789
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 



More information about the samba mailing list