[Samba] Debian client/workstation pam_mount
L.P.H. van Belle
belle at bazuin.nl
Tue Sep 29 08:24:24 UTC 2020
Rowland, My hero,
Thats exact what i ment..
Thanks to make it better to read.. :-)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland penny via samba
> Verzonden: dinsdag 29 september 2020 10:18
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Debian client/workstation pam_mount
>
> On 29/09/2020 08:00, L.P.H. van Belle via samba wrote:
> > Hai Bob,
> >
> > There are 2, linux only Admin accounts, ( local accounts )
> > And, only if these are member of the "local group" sshgroup
> > then your allowed to login.
> >
> >
> OK, I have removed virtually all that was posted, it was very hard to
> follow :-(
>
> My understanding of this is that if you set 'AllowGroups' in
> sshd_config, then only the users that are members of the
> groups that you
> set with 'AllowGroups' will be able to login.
>
> It sounds to me that Louis uses two groups, one that is a local Unix
> group (it is in /etc/group) and another that is an AD group which
> becomes a Unix group by either using the winbind 'rid'
> backend or using
> the 'ad backend and giving the group a gidNumber attribute.
>
> If you only used an AD group and (for what ever reason) AD went down,
> very probably no user would be able to login via ssh, this is
> why it is
> suggested to use two groups. You do not need to use
> 'AllowGroups', it is
> just another layer of security, talking of which, I would
> suggest you do
> not login as root via ssh, use a normal user and use sudo.
>
> Finally we come to that '1000' number in /etc/pam.d/common-* , this
> really should be set to whatever you set as the low range in
> the DOMAIN
> idmap config line in your smb.conf.
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list