[Samba] SSH to Samba server using AD credentials and group membership.

Daniel Lopes de Carvalho daniel at cepetro.unicamp.br
Mon Apr 11 12:30:57 UTC 2022 

Hi Rowland and Andrew,

Thanks for your response. I got to make it work by editing these 3 files:

/etc/nsswitch.conf
passwd:         files systemd winbind
group:          files systemd winbind

/etc/ssh/sshd_config
AllowGroups root DOMAIN\sysadmins

/etc/sudoers
%DOMAIN\sysadmins ALL=(ALL) ALL,!/bin/su,!/bin/sh,!/bin/bash

Thanks again

On Wed, Apr 6, 2022 at 3:28 PM Andrew Bartlett <abartlet at samba.org> wrote:

> On Wed, 2022-04-06 at 14:11 -0300, Daniel Lopes de Carvalho via samba
> wrote:
> > Hi,
> >
> > I'm looking for a way to authenticate a Samba 4.14.12 (domain
> > controller)
> > server SSH user with his AD credentials and group memberships.
> >
> > In this server, I have a SSH config with the statement AllowGroups
> > SysAdmins
> >
> > I would like to use AD users and groups membership to control this
> > access.
> > I have created the accounts and groups in AD database and it is
> > working
> > properly.
> >
> > Now I need to configure the Samba server to see this relationship. I
> > tried
> > to use NSLCD and NSCD to do that, but I got the following error on
> > auth.log:
> >
> > pam_unix(sshd:account): could not identify user (from
> > getpwnam(DOMAIN\username))
> >
> > I already execute the pam-auth-update, but nothing happens.
> >
> > Can someone give some light on it?
>
> You are looking for pam_winbind and nss_winbind.
>
> There is also an require_membership_of option to pam_winbind to deny
> authentication unless the user in a particular group, using the
> returned groups from the login.  Note that this doesn't apply for SSH
> keys, only to password authentication (yes, this sucks, it is a hack).
>
> Andrew Bartlett
>
> --
> Andrew Bartlett (he/him)       https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
>
> Samba Development and Support, Catalyst IT - Expert Open Source
> Solutions
>
>

-- 
Daniel Lopes de Carvalho
daniel at cepetro.unicamp.br
unisim.cepetro.unicamp.br <https://www.unisim.cepetro.unicamp.br/>
+55 19 3521-1221

More information about the samba mailing list