Web lists-archives.com

Re: [Samba] Users and groups on member server without ssh




Its all what you want.. You have a ton of options todo this. 
But every server as a "first" user and by default unix accounts are allowed through pam. 
The first user also as sudo rights, so let call him linuxadmin. 

In debian install ssh-krb5 , that enables kerberos authorisation. ( ssh is reloaded automaticly ) 
And install : libpam-krb5 to make it all work, if not installed. 

I've added this to my sshd_config. 
# Allow groups ( linux and windows groups )
AllowGroups sshgroup servers-ssh

Now 2 groups.
Sshgroup is a full linux group.
addgroup sshgroup
adduser linuxadmin sshgroup

The servers-ssh is a windows group use on all servers. 
That allows my windows (group member) users to login. 
Any member of one of these groups is allowed. 

If all DC's are down, i login with the linuxadmin. ( but i have 2 DC's and if you can setup also a second. ) 
And if as Rowland suggested, you added : 
'winbind offline logon = yes 

You can also use the winbind Pam. 
Which looks like this. 

cat /usr/share/pam-configs/winbind
Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
        [success=end default=ignore]    pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
Auth-Initial:
        [success=end default=ignore]    pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login
Account-Type: Primary
Account:
        [success=end new_authtok_reqd=done default=ignore]      pam_winbind.so
Password-Type: Primary
Password:
        [success=end default=ignore]    pam_winbind.so use_authtok try_first_pass
Password-Initial:
        [success=end default=ignore]    pam_winbind.so
Session-Type: Additional
Session:
        optional                        pam_winbind.so

If you add the above to the location its comming from. 
Now if you run : pam-auth-update
Just select what you want to enable. ( keep all on is adviced ) 
What you see here results in the following. 

1) try SSO auth kerberos
2) if fail, try winbind 
3) if fail, use linuxadmin 

Now you can always login. 
Except... When you down you server ;-) 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Daniel Carrasco via samba
> Verzonden: woensdag 27 september 2017 15:47
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: [Samba] Users and groups on member server without ssh
> 
> Hello,
> 
> I've a member server that is working fine as shared folder 
> server (all shares works and it permissions). My problem is 
> that when I add the nsswitch winbind entries then the server 
> uses the DC to authenticate even when I use ssh, so if Samba 
> DC server fails I have problems to login into the member server.
> 
> My nsswitch:
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> gshadow:        files
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> 
> And my smb.conf:
> [global]
> workgroup = DOMAIN
> security = ADS
> realm = DOMAIN.COM
> server role = member server
> dedicated keytab file = /etc/krb5.keytab kerberos method = 
> secrets and keytab
> 
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config DOMAIN:backend = rid
> idmap config DOMAIN:schema_mode = rfc2307 idmap config 
> DOMAIN:range = 10000-99999
> 
> winbind nss info = rfc2307
> winbind use default domain = yes
> winbind enum users  = yes
> winbind enum groups = yes
> 
> Is there any way to avoid that authentication method and use 
> only the local one? (I use tools like setfacl to change 
> permissions so I need access to domain users/groups).
> 
> Thanks and greetings!!
> 
> --
> _________________________________________
> 
>       Daniel Carrasco Marín
>       Ingeniería para la Innovación i2TIC, S.L.
>       Tlf:  +34 911 12 32 84 Ext: 223
>       www.i2tic.com
> _________________________________________
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba