[Samba] use of ‘idmap_ldb:use rfc2307 = yes’ in DCs

Rowland Penny rpenny at samba.org
Wed Jun 12 12:19:13 UTC 2024 

On Wed, 12 Jun 2024 08:58:08 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> Having said that, myself and Louis Van Belle wrote a script to create
> user home directories with the right permissions, this was run from a
> 'root preexec' in the 'homes' share, perhaps a similar method could be
> used on a DC, do not create a home directory if the user isn't a
> member of Domain Admins, no home directory, no login.
> 

I stared at the script code for about 10 minutes before I realised, it
will not work, you have to connect via Samba before the script is run,
which rules out SSH connections.

What seems to work is using PAM and pam_succeed_if.
 
Ensure that /etc/samba/smb.conf contains:

	template shell = /bin/bash

Then create an AD group, I called mine sshlogin.
Add the members of Domain Admins to the sshlogin group.

Add these lines to /etc/pam.d/common-account

account [default=ignore success=1] pam_succeed_if.so quiet uid < 3000 debug
account [default=bad success=ignore] pam_succeed_if.so user ingroup sshlogin debug

I added them after the line:

account requisite                       pam_deny.so

The first line allows local users to log in and, if successful, it causes the next line to be missed, the second line only allows members of the group 'sshlogin' to logon.

Which leads to lines in /var/log/auth.log  when a member of Domain Admins logs on:

Jun 12 12:51:05 rpidc1 sshd[1232097]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.141  user=SAMDOM\testadmin
Jun 12 12:51:05 rpidc1 sshd[1232097]: pam_winbind(sshd:auth): getting password (0x00000388)
Jun 12 12:51:05 rpidc1 sshd[1232097]: pam_winbind(sshd:auth): pam_get_item returned a password
Jun 12 12:51:06 rpidc1 sshd[1232097]: pam_winbind(sshd:auth): user 'SAMDOM\testadmin' granted access
Jun 12 12:51:06 rpidc1 sshd[1232097]: pam_succeed_if(sshd:account): 'uid' resolves to '3000068'
Jun 12 12:51:06 rpidc1 sshd[1232097]: pam_succeed_if(sshd:account): 'user' resolves to 'SAMDOM\testadmin'
Jun 12 12:51:06 rpidc1 sshd[1232097]: pam_succeed_if(sshd:account): requirement "user ingroup sshlogin" was met by user "SAMDOM\testadmin"
Jun 12 12:51:06 rpidc1 sshd[1232097]: Accepted password for SAMDOM\\testadmin from 192.168.1.141 port 40840 ssh2
Jun 12 12:51:06 rpidc1 sshd[1232097]: pam_unix(sshd:session): session opened for user SAMDOM\testadmin(uid=3000068) by (uid=0)

And when a local user user logs on:
Jun 12 13:06:05 rpidc1 sshd[1232280]: pam_succeed_if(sshd:account): 'uid' resolves to '1000'
Jun 12 13:06:05 rpidc1 sshd[1232280]: Accepted password for adminuser from 192.168.1.141 port 58928 ssh2
Jun 12 13:06:05 rpidc1 sshd[1232280]: pam_unix(sshd:session): session opened for user adminuser(uid=1000) by (uid=0)

So, nothing added to AD (except a new group), but only admin users can
logon.

Rowland

More information about the samba mailing list