[Samba] [Repost] PAM, Winbind, SSH and 'require_membership_of' in a forest...
Stefan Kania
stefan at kania-online.de
Mon Nov 10 16:05:12 UTC 2025
To get AllowGroups to work, you mast set "winbind expand groups =1" if you are using nested groups increase the number.
Am 10.11.25 um 12:06 schrieb Marco Gaiarin via samba:
>
> [I retry... still no feedback... thanks...]
>
> We need to setup some samba member servers (RH/Oracle Linux, but i think it
> does not matter too much...) joined to an MS AD forest (5 domains in
> forest).
>
> We are trying to configure SSH access to server, and the first try was to
> use sshd_config 'AllowGroups', but we have found some sort of 'chicken and
> egg' trouble, so users have to had done a successful logon to have group
> correctly enumerated and so be able to logon.
>
>
> A simple solution seems to NOT use 'AllowGroups' and add (in
> /etc/security/pam_winbind.conf or in pam_configuration, see later):
>
> require_membership_of=<our administration SID or group name>
>
> looking at manpage seems to me that this parameters (even added in
> /etc/security/pam_winbind.conf) is taken into account only in 'password' PAM
> context, eg all group are taken into account for, eg, most notably 'session'
> PAM context.
>
>
> Anyway, i'm asking here if:
>
> 1) this is the correct solution, or there's other solution for this 'chicken and
> egg' trouble in group enumeration
>
> 2) it is correct to add to 'require_membership_of' to /etc/security/pam_winbind.conf
> or it is preferable to add only to ssh pam configuration (clearly in
> 'password' context).
>
>
> Thanks.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20251110/e6f37814/OpenPGP_signature.sig>
More information about the samba
mailing list