[Samba] require_membership_of is ignored
monyo at monyo.com
Sat Jan 26 09:06:26 MST 2013
From: John P Arends <jarends at northwestern.edu>
Date: Thu, 24 Jan 2013 21:45:13 +0000
> The problem is, I can log on as any AD user.
> require_membership_of is being ignored. I can put in a valid group with
> no spaces in the name, a group by SID, and either way, everyone can log
As far as I examined Samba 3.5.6 shipped with Debian Squeeze, it worked.
I added these lines into my smb.conf:
obey pam restrictions = yes
template shell = /bin/bash
Also I added these lines into /etc/pam.d/common_auth:
... pam_winbind.so require-membership-of=W2K8R2AD1\samba01g debug
samba01g is a global security group.
I tried to login as an user who does not belong to samba01g from other box
via ssh and cannnot login with these logs:
Jan 27 00:57:06 squeeze64-1 sshd: pam_winbind(sshd:auth): request wbcLogon
User failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS:
NT_STATUS_LOGON_FAILURE, Error message was: Logon failure
Jan 27 00:57:06 squeeze64-1 sshd: pam_winbind(sshd:auth): user
'W2K8R2AD1\samba01' denied access (incorrect password or invalid membership)
Jan 27 00:57:06 squeeze64-1 sshd: pam_winbind(sshd:auth): [pamh:
0x7f2a6c630f40] LEAVE: pam_sm_authenticate returning 7 (PAM_AUTH_ERR)
To join the user to samba01g, the user can login.
TAKAHASHI Motonobu <monyo at monyo.com> / @damemonyo
More information about the samba