[Samba] SerNet - Samba 4.3 and ssh password logins

Heinz Allerberger allerberger at em.uni-frankfurt.de
Mon Apr 11 12:09:51 UTC 2016

Dear members of the samba-list, dear Luis,

unfortunately it doesn't work. I believe, I do not understand the way I 
have to do it with the parameter AllowGroups into the ssh_config.

I tried different ways to restrict Windows(Samba)-Users the login with ssh:
1.) Into the sshd_config
AllowUsers root mysamba-user
/etc/init.d/ssh restart

...this works!
Nobody else as root and mysamba-user can logon with ssh

2.) Into the sshd_config

Into /etc/group

/etc/init.d/ssh restart
...this doesnt work!

3.) Into sshd_config

samba-tool group addmembers AllowGroups mysamba-user
/etc/init.d/ssh restart
...this doesn't work!

4.) Into sshd_config
AllowGroups AllowGroups
samba-tool group addmembers AllowGroups mysamba-user
/etc/init.d/ssh restart
...this doesn't work!

Please could anybody tell me what I'm doing wrong?


Am 06.04.2016 um 07:58 schrieb L.P.H. van Belle:
> Thats pretty simple todo.
> Create a group on windows, add the allowed users in it.
> Add
> AllowGroups YourADGroup
> In sshd_config
> Restart ssh.
> You want unix and windows groups.
> AllowGroups YourADGroup YourLinuxGroup
> Adduser Linuxgroup ( for the linux servers )
> Greet,
> Louis
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Heinz Allerberger
>> Verzonden: dinsdag 5 april 2016 19:31
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] SerNet - Samba 4.3 and ssh password logins
>> Hi everyone,
>> I have a SerNet-Samba 4.3.6-10 AD which works fine.
>> Now I try to implement a fileserver. It is a server with a lot of
>> (old)-users, which have an Unix-Account. On this server are also users
>> who should can login from the Internet over ssh.
>> But now I'm running in trouble with the security of my fileserver.
>> When I would install samba 4.3.6 on it and activate sernet-samba-client
>> with winbind. Every user can login over ssh with his
>> Windows-AD-password. This seems dangerous for me.
>> I could live with this, but then it should be possible, that I can deny
>> the ssh-login for some users who should not have the possibility to
>> login from the Internet. But this users should be able to login into the
>> domain with a windows-machine on the AD.
>> How can I do that?
>> Please don't be worry about my English. I'm German and it is not my mean
>> language.
>> Regards,
>> Heinz
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

Mit freundlichen Grüßen

Heinz Allerberger
Klinikum der J.W.Goethe Universität
Zentrum Neurologie u. Neurochirurgie
Schleusenweg 2-16
D-60528 Frankfurt am Main

Mobile: 0157-76401339
Tel: 069/6301-4274
Fax: 069/6301-6842

Please don't print this e-mail unless you really need to!

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen.
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben,
informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.

This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and destroy this e-mail.
Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

More information about the samba mailing list