[Samba] SerNet - Samba 4.3 and ssh password logins

[Sketch]

On Tue, 5 Apr 2016, Heinz Allerberger wrote:

> Now I try to implement a fileserver. It is a server with a lot of 
> (old)-users, which have an Unix-Account. On this server are also users who 
> should can login from the Internet over ssh.
>
> But now I'm running in trouble with the security of my fileserver.
> When I would install samba 4.3.6 on it and activate sernet-samba-client with 
> winbind. Every user can login over ssh with his Windows-AD-password. This 
> seems dangerous for me.
>
> I could live with this, but then it should be possible, that I can deny the 
> ssh-login for some users who should not have the possibility to login from 
> the Internet. But this users should be able to login into the domain with a 
> windows-machine on the AD.

If you just want to prevent logins via ssh, you can configure sshd to only 
allow certain groups to log in (man sshd, see AllowGroups), then put your 
local ssh users in said group.  This would also let you allow certain AD 
users to log in as well, if you wanted to do so in the future.

If there are other services on the system that Windows users might be able 
to authenticate to as well, you might look into doing this with PAM 
instead.  It would probably be a bit more complicated, but it can apply to 
whatever services you want that way.

Alternatively, and I haven't tested this, but you could _probably_ also do 
it by removing winbind from the shadow: line in /etc/nsswitch.conf.  I 
believe smbd only uses the system to look up uid/gids (so you still need 
it in the passwd: and group: lines), other than that it talks to winbind 
or the DC directly for user authentication.