[Samba] SerNet - Samba 4.3 and ssh password logins

L.P.H. van Belle belle at bazuin.nl
Mon Apr 11 12:58:32 UTC 2016 

Hai, 

I have 
AllowGroups sshlinux, sshwindows 

Add at least 1 user in the linux group and at least 1 in the sshwindows group. 

Make sure the sshwindows group have a GID. 
And make sure the windows user loggin in in ssh als have a UID. 

AND for both, UID 1000+  ( which is in debian the default PAM setting ) .

This is base on a "MEMBER" server. 

If you do : 
getent windowsuser 
You get uid gid homedir and shell ? and these are ok to login? 

If yes, is the home dir local on the server or shared ? 

If shares and IF kerberos base nfsv4 then you need some more. 

But first above, else im lots in al mails..


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Heinz Allerberger
> Verzonden: maandag 11 april 2016 14:10
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] SerNet - Samba 4.3 and ssh password logins
> 
> Dear members of the samba-list, dear Luis,
> 
> unfortunately it doesn't work. I believe, I do not understand the way I
> have to do it with the parameter AllowGroups into the ssh_config.
> 
> I tried different ways to restrict Windows(Samba)-Users the login with
> ssh:
> ==============================================
> 1.) Into the sshd_config
> AllowUsers root mysamba-user
> /etc/init.d/ssh restart
> 
> ...this works!
> Nobody else as root and mysamba-user can logon with ssh
> 
> 2.) Into the sshd_config
> AllowGroups
> 
> Into /etc/group
> ssh:x:105:mysamba-user
> 
> /etc/init.d/ssh restart
> ...this doesnt work!
> 
> 3.) Into sshd_config
> AllowGroups
> 
> samba-tool group addmembers AllowGroups mysamba-user
> /etc/init.d/ssh restart
> ...this doesn't work!
> 
> 4.) Into sshd_config
> AllowGroups AllowGroups
> samba-tool group addmembers AllowGroups mysamba-user
> /etc/init.d/ssh restart
> ...this doesn't work!
> 
> Please could anybody tell me what I'm doing wrong?
> 
> Regards,
> Heinz
> 
> 
> 
> 
> Am 06.04.2016 um 07:58 schrieb L.P.H. van Belle:
> > Thats pretty simple todo.
> >
> > Create a group on windows, add the allowed users in it.
> > Add
> > AllowGroups YourADGroup
> > In sshd_config
> > Restart ssh.
> >
> > You want unix and windows groups.
> > AllowGroups YourADGroup YourLinuxGroup
> >
> > Adduser Linuxgroup ( for the linux servers )
> >
> >
> > Greet,
> >
> > Louis
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Heinz
> Allerberger
> >> Verzonden: dinsdag 5 april 2016 19:31
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] SerNet - Samba 4.3 and ssh password logins
> >>
> >> Hi everyone,
> >>
> >> I have a SerNet-Samba 4.3.6-10 AD which works fine.
> >>
> >> Now I try to implement a fileserver. It is a server with a lot of
> >> (old)-users, which have an Unix-Account. On this server are also users
> >> who should can login from the Internet over ssh.
> >>
> >> But now I'm running in trouble with the security of my fileserver.
> >> When I would install samba 4.3.6 on it and activate sernet-samba-client
> >> with winbind. Every user can login over ssh with his
> >> Windows-AD-password. This seems dangerous for me.
> >>
> >> I could live with this, but then it should be possible, that I can deny
> >> the ssh-login for some users who should not have the possibility to
> >> login from the Internet. But this users should be able to login into
> the
> >> domain with a windows-machine on the AD.
> >>
> >> How can I do that?
> >>
> >> Please don't be worry about my English. I'm German and it is not my
> mean
> >> language.
> >>
> >> Regards,
> >> Heinz
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> 
> --
> Mit freundlichen Grüßen
> 
> Heinz Allerberger
> Systemadministration
> Klinikum der J.W.Goethe Universität
> Zentrum Neurologie u. Neurochirurgie
> Schleusenweg 2-16
> D-60528 Frankfurt am Main
> 
> Mobile: 0157-76401339
> Tel: 069/6301-4274
> Fax: 069/6301-6842
> 
> Please don't print this e-mail unless you really need to!
> 
> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
> Informationen.
> Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich
> erhalten haben,
> informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.
> Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist
> nicht gestattet.
> 
> This e-mail may contain confidential and/or privileged information.
> If you are not the intended recipient (or have received this e-mail in
> error)
> please notify the sender immediately and destroy this e-mail.
> Any unauthorised copying, disclosure or distribution of the material in
> this e-mail is strictly forbidden.
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list