Re: [Samba] Users and groups on member server without ssh
- Date: Wed, 27 Sep 2017 16:25:19 +0200
- From: "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Users and groups on member server without ssh
Its all what you want.. You have a ton of options todo this.
But every server as a "first" user and by default unix accounts are allowed through pam.
The first user also as sudo rights, so let call him linuxadmin.
In debian install ssh-krb5 , that enables kerberos authorisation. ( ssh is reloaded automaticly )
And install : libpam-krb5 to make it all work, if not installed.
I've added this to my sshd_config.
# Allow groups ( linux and windows groups )
AllowGroups sshgroup servers-ssh
Now 2 groups.
Sshgroup is a full linux group.
adduser linuxadmin sshgroup
The servers-ssh is a windows group use on all servers.
That allows my windows (group member) users to login.
Any member of one of these groups is allowed.
If all DC's are down, i login with the linuxadmin. ( but i have 2 DC's and if you can setup also a second. )
And if as Rowland suggested, you added :
'winbind offline logon = yes
You can also use the winbind Pam.
Which looks like this.
Name: Winbind NT/Active Directory authentication
[success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
[success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login
[success=end new_authtok_reqd=done default=ignore] pam_winbind.so
[success=end default=ignore] pam_winbind.so use_authtok try_first_pass
[success=end default=ignore] pam_winbind.so
If you add the above to the location its comming from.
Now if you run : pam-auth-update
Just select what you want to enable. ( keep all on is adviced )
What you see here results in the following.
1) try SSO auth kerberos
2) if fail, try winbind
3) if fail, use linuxadmin
Now you can always login.
Except... When you down you server ;-)
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
> Daniel Carrasco via samba
> Verzonden: woensdag 27 september 2017 15:47
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: [Samba] Users and groups on member server without ssh
> I've a member server that is working fine as shared folder
> server (all shares works and it permissions). My problem is
> that when I add the nsswitch winbind entries then the server
> uses the DC to authenticate even when I use ssh, so if Samba
> DC server fails I have problems to login into the member server.
> My nsswitch:
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> gshadow: files
> hosts: files dns
> networks: files
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
> netgroup: nis
> And my smb.conf:
> workgroup = DOMAIN
> security = ADS
> realm = DOMAIN.COM
> server role = member server
> dedicated keytab file = /etc/krb5.keytab kerberos method =
> secrets and keytab
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config DOMAIN:backend = rid
> idmap config DOMAIN:schema_mode = rfc2307 idmap config
> DOMAIN:range = 10000-99999
> winbind nss info = rfc2307
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> Is there any way to avoid that authentication method and use
> only the local one? (I use tools like setfacl to change
> permissions so I need access to domain users/groups).
> Thanks and greetings!!
> Daniel Carrasco Marín
> Ingeniería para la Innovación i2TIC, S.L.
> Tlf: +34 911 12 32 84 Ext: 223
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the