[Samba] Restricting AD group logging on to Servers

Roy Eastwood spindles7 at gmail.com
Sat Dec 2 09:15:02 UTC 2017

> > > try adding the 'require_membership_of' line to the winbind auth line in
> > > PAM.

> > > Rowland
> > Thanks Rowland, that did the trick and is the simplest solution.
> >
> > Found that only one \ was required to separate the domain part from the group name part - ie DOMAIN\linuxadmins rather than
> > DOMAIN\\linuxadmins.   (the man page for pam_winbind.conf suggests two \\ are needed)
> Just one thing on that.  Remember that this is not checked by SSH for
> authorized_keys based logins, it is run on the password checking path
> only.  As long as they can't add such keys (no home dir) that is fine,
> but just be aware.
> I take it you have set a template shell and that is why you have access
> at all?
> Thanks,
> Andrew Bartlett
Thanks for pointing this out - I hadn't realised that.   Yes I have set a template in smb.conf for shell and home dir on the DCs but use the unix attributes in AD for member servers.   So to prevent such logons, I should not set the home dir template or should I set it to /dev/null or similar non-existent dir?



More information about the samba mailing list