[Samba] [Repost] PAM, Winbind, SSH and 'require_membership_of' in a forest...
Marco Gaiarin
gaio at lilliput.linux.it
Mon Nov 10 11:06:39 UTC 2025
[I retry... still no feedback... thanks...]
We need to setup some samba member servers (RH/Oracle Linux, but i think it
does not matter too much...) joined to an MS AD forest (5 domains in
forest).
We are trying to configure SSH access to server, and the first try was to
use sshd_config 'AllowGroups', but we have found some sort of 'chicken and
egg' trouble, so users have to had done a successful logon to have group
correctly enumerated and so be able to logon.
A simple solution seems to NOT use 'AllowGroups' and add (in
/etc/security/pam_winbind.conf or in pam_configuration, see later):
require_membership_of=<our administration SID or group name>
looking at manpage seems to me that this parameters (even added in
/etc/security/pam_winbind.conf) is taken into account only in 'password' PAM
context, eg all group are taken into account for, eg, most notably 'session'
PAM context.
Anyway, i'm asking here if:
1) this is the correct solution, or there's other solution for this 'chicken and
egg' trouble in group enumeration
2) it is correct to add to 'require_membership_of' to /etc/security/pam_winbind.conf
or it is preferable to add only to ssh pam configuration (clearly in
'password' context).
Thanks.
--
More information about the samba
mailing list