[Samba] Restricting AD group logging on to Servers
Roy Eastwood
spindles7 at gmail.com
Sat Dec 2 09:15:02 UTC 2017
[snip]
> > > try adding the 'require_membership_of' line to the winbind auth line in
> > > PAM.
> > > Rowland
> > Thanks Rowland, that did the trick and is the simplest solution.
> >
> > Found that only one \ was required to separate the domain part from the group name part - ie DOMAIN\linuxadmins rather than
> > DOMAIN\\linuxadmins. (the man page for pam_winbind.conf suggests two \\ are needed)
>
> Just one thing on that. Remember that this is not checked by SSH for
> authorized_keys based logins, it is run on the password checking path
> only. As long as they can't add such keys (no home dir) that is fine,
> but just be aware.
>
> I take it you have set a template shell and that is why you have access
> at all?
>
> Thanks,
>
> Andrew Bartlett
>
Thanks for pointing this out - I hadn't realised that. Yes I have set a template in smb.conf for shell and home dir on the DCs but use the unix attributes in AD for member servers. So to prevent such logons, I should not set the home dir template or should I set it to /dev/null or similar non-existent dir?
Thanks,
Roy
More information about the samba
mailing list