[Samba] Debian client/workstation pam_mount

L.P.H. van Belle belle at bazuin.nl
Tue Sep 29 08:24:24 UTC 2020

Rowland, My hero, 
Thats exact what i ment..  

Thanks to make it better to read..   :-) 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: dinsdag 29 september 2020 10:18
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Debian client/workstation pam_mount
> On 29/09/2020 08:00, L.P.H. van Belle via samba wrote:
> > Hai Bob,
> >
> > There are 2, linux only Admin accounts, ( local accounts )
> >     And, only if these are member of the "local group" sshgroup
> >     then your allowed to login.
> >   
> >
> OK, I have removed virtually all that was posted, it was very hard to 
> follow :-(
> My understanding of this is that if you set 'AllowGroups' in 
> sshd_config, then only the users that are members of the 
> groups that you 
> set with 'AllowGroups' will be able to login.
> It sounds to me that Louis uses two groups, one that is a local Unix 
> group (it is in /etc/group) and another that is an AD group which 
> becomes a Unix group by either using the winbind 'rid' 
> backend or using 
> the 'ad backend and giving the group a gidNumber attribute.
> If you only used an AD group and (for what ever reason) AD went down, 
> very probably no user would be able to login via ssh, this is 
> why it is 
> suggested to use two groups. You do not need to use 
> 'AllowGroups', it is 
> just another layer of security, talking of which, I would 
> suggest you do 
> not login as root via ssh, use a normal user and use sudo.
> Finally we come to that '1000' number in /etc/pam.d/common-* , this 
> really should be set to whatever you set as the low range in 
> the DOMAIN 
> idmap config line in your smb.conf.
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list