[Samba] SSH to Samba server using AD credentials and group membership.
Andrew Bartlett
abartlet at samba.org
Wed Apr 6 18:28:19 UTC 2022
On Wed, 2022-04-06 at 14:11 -0300, Daniel Lopes de Carvalho via samba
wrote:
> Hi,
>
> I'm looking for a way to authenticate a Samba 4.14.12 (domain
> controller)
> server SSH user with his AD credentials and group memberships.
>
> In this server, I have a SSH config with the statement AllowGroups
> SysAdmins
>
> I would like to use AD users and groups membership to control this
> access.
> I have created the accounts and groups in AD database and it is
> working
> properly.
>
> Now I need to configure the Samba server to see this relationship. I
> tried
> to use NSLCD and NSCD to do that, but I got the following error on
> auth.log:
>
> pam_unix(sshd:account): could not identify user (from
> getpwnam(DOMAIN\username))
>
> I already execute the pam-auth-update, but nothing happens.
>
> Can someone give some light on it?
You are looking for pam_winbind and nss_winbind.
There is also an require_membership_of option to pam_winbind to deny
authentication unless the user in a particular group, using the
returned groups from the login. Note that this doesn't apply for SSH
keys, only to password authentication (yes, this sucks, it is a hack).
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the samba
mailing list