[Samba] require_membership_of is ignored

Nico Kadel-Garcia nkadel at gmail.com
Thu Jan 24 20:37:30 MST 2013

On Thu, Jan 24, 2013 at 5:24 PM, John P Arends <jarends at northwestern.edu> wrote:
> I want to make sure if someone also gets local console access somehow they still can't get in. That's my concern with just making changes to how sshd authenticates.

One way I've dealt with this, and a pretty simple one, is not use LDAP
account management at all. Use local user accounts, and allow those to
*authenticate* against the Kerberos server. Look up the "authconfig"
options to see how to do this: it allows local account management,
including the use of restricted shells and locallized uid's and group
membership, without having to manage anything but the passwords on the
upstream Samba or AD servers. It even allows the shell to be
"/sbin/nologin" or alternative access limited home directories for
shared "scp" or even "rssh" based access.

More information about the samba mailing list