[Samba] SSH to Samba server using AD credentials and group membership.
rpenny at samba.org
Wed Apr 6 18:05:05 UTC 2022
On Wed, 2022-04-06 at 14:11 -0300, Daniel Lopes de Carvalho via samba
> I'm looking for a way to authenticate a Samba 4.14.12 (domain
> server SSH user with his AD credentials and group memberships.
> In this server, I have a SSH config with the statement AllowGroups
> I would like to use AD users and groups membership to control this
> I have created the accounts and groups in AD database and it is
> Now I need to configure the Samba server to see this relationship. I
> to use NSLCD and NSCD to do that, but I got the following error on
What is wrong with using winbind ?
I ask this because it works for myself:
First with a user that isn't in the SSH AllowGroups group:
Apr 6 18:54:55 deb11 sshd: User user1 from 192.168.0.49 not
allowed because none of user's groups are listed in AllowGroups
Then with a user that is:
Apr 6 18:55:15 deb11 sshd: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
Apr 6 18:55:15 deb11 sshd: pam_winbind(sshd:auth): getting
Apr 6 18:55:15 deb11 sshd: pam_winbind(sshd:auth): pam_get_item
returned a password
Apr 6 18:55:15 deb11 sshd: pam_winbind(sshd:auth): user 'user2'
Apr 6 18:55:16 deb11 sshd: Accepted password for user2 from
192.168.0.49 port 51144 ssh2
Apr 6 18:55:16 deb11 sshd: pam_unix(sshd:session): session opened
for user user2(uid=11107) by (uid=0)
Apr 6 18:55:16 deb11 systemd-logind: New session 4 of user user2.
Apr 6 18:55:16 deb11 systemd: pam_unix(systemd-user:session): session
opened for user user2(uid=11107) by (uid=0)
Finally, you shouldn't be using nscd with winbind, it interferes with
the winbind cache.
More information about the samba