[Samba] SSH to Samba server using AD credentials and group membership.
Rowland Penny
rpenny at samba.org
Wed Apr 6 18:05:05 UTC 2022
On Wed, 2022-04-06 at 14:11 -0300, Daniel Lopes de Carvalho via samba
wrote:
> Hi,
>
> I'm looking for a way to authenticate a Samba 4.14.12 (domain
> controller)
> server SSH user with his AD credentials and group memberships.
>
> In this server, I have a SSH config with the statement AllowGroups
> SysAdmins
>
> I would like to use AD users and groups membership to control this
> access.
> I have created the accounts and groups in AD database and it is
> working
> properly.
>
> Now I need to configure the Samba server to see this relationship. I
> tried
> to use NSLCD and NSCD to do that, but I got the following error on
> auth.log:
What is wrong with using winbind ?
I ask this because it works for myself:
First with a user that isn't in the SSH AllowGroups group:
Apr 6 18:54:55 deb11 sshd[963]: User user1 from 192.168.0.49 not
allowed because none of user's groups are listed in AllowGroups
Then with a user that is:
Apr 6 18:55:15 deb11 sshd[966]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.0.49 user=user2
Apr 6 18:55:15 deb11 sshd[966]: pam_winbind(sshd:auth): getting
password (0x00000388)
Apr 6 18:55:15 deb11 sshd[966]: pam_winbind(sshd:auth): pam_get_item
returned a password
Apr 6 18:55:15 deb11 sshd[966]: pam_winbind(sshd:auth): user 'user2'
granted access
Apr 6 18:55:16 deb11 sshd[966]: Accepted password for user2 from
192.168.0.49 port 51144 ssh2
Apr 6 18:55:16 deb11 sshd[966]: pam_unix(sshd:session): session opened
for user user2(uid=11107) by (uid=0)
Apr 6 18:55:16 deb11 systemd-logind[334]: New session 4 of user user2.
Apr 6 18:55:16 deb11 systemd: pam_unix(systemd-user:session): session
opened for user user2(uid=11107) by (uid=0)
Finally, you shouldn't be using nscd with winbind, it interferes with
the winbind cache.
Rowland
More information about the samba
mailing list