[Samba] Debian client/workstation pam_mount

Rowland penny rpenny at samba.org
Tue Sep 29 08:18:08 UTC 2020

On 29/09/2020 08:00, L.P.H. van Belle via samba wrote:
> Hai Bob,
> There are 2, linux only Admin accounts, ( local accounts )
>     And, only if these are member of the "local group" sshgroup
>     then your allowed to login.
OK, I have removed virtually all that was posted, it was very hard to 
follow :-(

My understanding of this is that if you set 'AllowGroups' in 
sshd_config, then only the users that are members of the groups that you 
set with 'AllowGroups' will be able to login.

It sounds to me that Louis uses two groups, one that is a local Unix 
group (it is in /etc/group) and another that is an AD group which 
becomes a Unix group by either using the winbind 'rid' backend or using 
the 'ad backend and giving the group a gidNumber attribute.

If you only used an AD group and (for what ever reason) AD went down, 
very probably no user would be able to login via ssh, this is why it is 
suggested to use two groups. You do not need to use 'AllowGroups', it is 
just another layer of security, talking of which, I would suggest you do 
not login as root via ssh, use a normal user and use sudo.

Finally we come to that '1000' number in /etc/pam.d/common-* , this 
really should be set to whatever you set as the low range in the DOMAIN 
idmap config line in your smb.conf.


More information about the samba mailing list