[Samba] SSH to Samba server using AD credentials and group membership.

Andrew Bartlett abartlet at samba.org
Wed Apr 6 18:28:19 UTC 2022

On Wed, 2022-04-06 at 14:11 -0300, Daniel Lopes de Carvalho via samba
> Hi,
> I'm looking for a way to authenticate a Samba 4.14.12 (domain
> controller)
> server SSH user with his AD credentials and group memberships.
> In this server, I have a SSH config with the statement AllowGroups
> SysAdmins
> I would like to use AD users and groups membership to control this
> access.
> I have created the accounts and groups in AD database and it is
> working
> properly.
> Now I need to configure the Samba server to see this relationship. I
> tried
> to use NSLCD and NSCD to do that, but I got the following error on
> auth.log:
> pam_unix(sshd:account): could not identify user (from
> getpwnam(DOMAIN\username))
> I already execute the pam-auth-update, but nothing happens.
> Can someone give some light on it?

You are looking for pam_winbind and nss_winbind.

There is also an require_membership_of option to pam_winbind to deny
authentication unless the user in a particular group, using the
returned groups from the login.  Note that this doesn't apply for SSH
keys, only to password authentication (yes, this sucks, it is a hack).

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list