[Samba] Allow Samba4/AD group "MYDOM\Domain Admins" to login through SSH on linux hosts

?icro MEGAS micromegas at mail333.com
Mon Oct 20 16:24:17 MDT 2014


For several linux server on our network we want to allow the AD domain group called "MYDOM\Domain Admins" to login through ssh with their AD credentials. Our DC1 and DC2 are running on Debian 64bit using Samba 4.1.12/Sernet.

I'm kinda confused, what exactly I need therefore. Do I need to setup a PAM_authentication as explained on that tutorial here? (https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Setting_up_PAM_authentication) I tried that. I didn't create the symlink as shown on the tutorial (ln -s /usr/local/samba/lib/security/pam_winbind.so /lib64/security/), because I realized that I have a file called "root at membersrv1:/lib/x86_64-linux-gnu/security/pam_winbind.so" which I think comes from the Sernet Samba 4.1.12 package (please correct me if I'm wrong). Then I tried to modify the "/etc/pam.d/sshd" according the tutorial, that's how my "/etc/pam.d/sshd" looked like afterwards:
# PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth       required     pam_env.so envfile=/etc/default/locale
auth        sufficient    pam_winbind.so use_first_pass                        #

More information about the samba mailing list