[Samba] Debian client/workstation pam_mount
Rowland penny
rpenny at samba.org
Tue Sep 29 08:18:08 UTC 2020
On 29/09/2020 08:00, L.P.H. van Belle via samba wrote:
> Hai Bob,
>
> There are 2, linux only Admin accounts, ( local accounts )
> And, only if these are member of the "local group" sshgroup
> then your allowed to login.
>
>
OK, I have removed virtually all that was posted, it was very hard to
follow :-(
My understanding of this is that if you set 'AllowGroups' in
sshd_config, then only the users that are members of the groups that you
set with 'AllowGroups' will be able to login.
It sounds to me that Louis uses two groups, one that is a local Unix
group (it is in /etc/group) and another that is an AD group which
becomes a Unix group by either using the winbind 'rid' backend or using
the 'ad backend and giving the group a gidNumber attribute.
If you only used an AD group and (for what ever reason) AD went down,
very probably no user would be able to login via ssh, this is why it is
suggested to use two groups. You do not need to use 'AllowGroups', it is
just another layer of security, talking of which, I would suggest you do
not login as root via ssh, use a normal user and use sudo.
Finally we come to that '1000' number in /etc/pam.d/common-* , this
really should be set to whatever you set as the low range in the DOMAIN
idmap config line in your smb.conf.
Rowland
More information about the samba
mailing list