[Samba] require_membership_of is ignored
TAKAHASHI Motonobu
monyo at monyo.com
Sat Jan 26 09:06:26 MST 2013
From: John P Arends <jarends at northwestern.edu>
Date: Thu, 24 Jan 2013 21:45:13 +0000
> The problem is, I can log on as any AD user.
>
> require_membership_of is being ignored. I can put in a valid group with
> no spaces in the name, a group by SID, and either way, everyone can log
> in.
As far as I examined Samba 3.5.6 shipped with Debian Squeeze, it worked.
I added these lines into my smb.conf:
-----
obey pam restrictions = yes
template shell = /bin/bash
-----
Also I added these lines into /etc/pam.d/common_auth:
-----
... pam_winbind.so require-membership-of=W2K8R2AD1\samba01g debug
-----
samba01g is a global security group.
I tried to login as an user who does not belong to samba01g from other box
via ssh and cannnot login with these logs:
-----
Jan 27 00:57:06 squeeze64-1 sshd[6261]: pam_winbind(sshd:auth): request wbcLogon
User failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS:
NT_STATUS_LOGON_FAILURE, Error message was: Logon failure
Jan 27 00:57:06 squeeze64-1 sshd[6261]: pam_winbind(sshd:auth): user
'W2K8R2AD1\samba01' denied access (incorrect password or invalid membership)
Jan 27 00:57:06 squeeze64-1 sshd[6261]: pam_winbind(sshd:auth): [pamh:
0x7f2a6c630f40] LEAVE: pam_sm_authenticate returning 7 (PAM_AUTH_ERR)
-----
To join the user to samba01g, the user can login.
---
TAKAHASHI Motonobu <monyo at monyo.com> / @damemonyo
facebook.com/takahashi.motonobu
More information about the samba
mailing list