[Samba] SSH to Samba server using AD credentials and group membership.
Daniel Lopes de Carvalho
daniel at cepetro.unicamp.br
Mon Apr 11 12:30:57 UTC 2022
Hi Rowland and Andrew,
Thanks for your response. I got to make it work by editing these 3 files:
/etc/nsswitch.conf
passwd: files systemd winbind
group: files systemd winbind
/etc/ssh/sshd_config
AllowGroups root DOMAIN\sysadmins
/etc/sudoers
%DOMAIN\sysadmins ALL=(ALL) ALL,!/bin/su,!/bin/sh,!/bin/bash
Thanks again
On Wed, Apr 6, 2022 at 3:28 PM Andrew Bartlett <abartlet at samba.org> wrote:
> On Wed, 2022-04-06 at 14:11 -0300, Daniel Lopes de Carvalho via samba
> wrote:
> > Hi,
> >
> > I'm looking for a way to authenticate a Samba 4.14.12 (domain
> > controller)
> > server SSH user with his AD credentials and group memberships.
> >
> > In this server, I have a SSH config with the statement AllowGroups
> > SysAdmins
> >
> > I would like to use AD users and groups membership to control this
> > access.
> > I have created the accounts and groups in AD database and it is
> > working
> > properly.
> >
> > Now I need to configure the Samba server to see this relationship. I
> > tried
> > to use NSLCD and NSCD to do that, but I got the following error on
> > auth.log:
> >
> > pam_unix(sshd:account): could not identify user (from
> > getpwnam(DOMAIN\username))
> >
> > I already execute the pam-auth-update, but nothing happens.
> >
> > Can someone give some light on it?
>
> You are looking for pam_winbind and nss_winbind.
>
> There is also an require_membership_of option to pam_winbind to deny
> authentication unless the user in a particular group, using the
> returned groups from the login. Note that this doesn't apply for SSH
> keys, only to password authentication (yes, this sucks, it is a hack).
>
> Andrew Bartlett
>
> --
> Andrew Bartlett (he/him) https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
>
> Samba Development and Support, Catalyst IT - Expert Open Source
> Solutions
>
>
--
Daniel Lopes de Carvalho
daniel at cepetro.unicamp.br
unisim.cepetro.unicamp.br <https://www.unisim.cepetro.unicamp.br/>
+55 19 3521-1221
More information about the samba
mailing list