[Samba] use of ‘idmap_ldb:use rfc2307 = yes’ in DCs
Rowland Penny
rpenny at samba.org
Wed Jun 12 12:19:13 UTC 2024
On Wed, 12 Jun 2024 08:58:08 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> Having said that, myself and Louis Van Belle wrote a script to create
> user home directories with the right permissions, this was run from a
> 'root preexec' in the 'homes' share, perhaps a similar method could be
> used on a DC, do not create a home directory if the user isn't a
> member of Domain Admins, no home directory, no login.
>
I stared at the script code for about 10 minutes before I realised, it
will not work, you have to connect via Samba before the script is run,
which rules out SSH connections.
What seems to work is using PAM and pam_succeed_if.
Ensure that /etc/samba/smb.conf contains:
template shell = /bin/bash
Then create an AD group, I called mine sshlogin.
Add the members of Domain Admins to the sshlogin group.
Add these lines to /etc/pam.d/common-account
account [default=ignore success=1] pam_succeed_if.so quiet uid < 3000 debug
account [default=bad success=ignore] pam_succeed_if.so user ingroup sshlogin debug
I added them after the line:
account requisite pam_deny.so
The first line allows local users to log in and, if successful, it causes the next line to be missed, the second line only allows members of the group 'sshlogin' to logon.
Which leads to lines in /var/log/auth.log when a member of Domain Admins logs on:
Jun 12 12:51:05 rpidc1 sshd[1232097]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.141 user=SAMDOM\testadmin
Jun 12 12:51:05 rpidc1 sshd[1232097]: pam_winbind(sshd:auth): getting password (0x00000388)
Jun 12 12:51:05 rpidc1 sshd[1232097]: pam_winbind(sshd:auth): pam_get_item returned a password
Jun 12 12:51:06 rpidc1 sshd[1232097]: pam_winbind(sshd:auth): user 'SAMDOM\testadmin' granted access
Jun 12 12:51:06 rpidc1 sshd[1232097]: pam_succeed_if(sshd:account): 'uid' resolves to '3000068'
Jun 12 12:51:06 rpidc1 sshd[1232097]: pam_succeed_if(sshd:account): 'user' resolves to 'SAMDOM\testadmin'
Jun 12 12:51:06 rpidc1 sshd[1232097]: pam_succeed_if(sshd:account): requirement "user ingroup sshlogin" was met by user "SAMDOM\testadmin"
Jun 12 12:51:06 rpidc1 sshd[1232097]: Accepted password for SAMDOM\\testadmin from 192.168.1.141 port 40840 ssh2
Jun 12 12:51:06 rpidc1 sshd[1232097]: pam_unix(sshd:session): session opened for user SAMDOM\testadmin(uid=3000068) by (uid=0)
And when a local user user logs on:
Jun 12 13:06:05 rpidc1 sshd[1232280]: pam_succeed_if(sshd:account): 'uid' resolves to '1000'
Jun 12 13:06:05 rpidc1 sshd[1232280]: Accepted password for adminuser from 192.168.1.141 port 58928 ssh2
Jun 12 13:06:05 rpidc1 sshd[1232280]: pam_unix(sshd:session): session opened for user adminuser(uid=1000) by (uid=0)
So, nothing added to AD (except a new group), but only admin users can
logon.
Rowland
More information about the samba
mailing list