[Samba] Restricting AD group logging on to Servers
- Date: Fri, 1 Dec 2017 17:06:42 -0000
- From: Roy Eastwood via samba <samba@xxxxxxxxxxxxxxx>
- Subject: [Samba] Restricting AD group logging on to Servers
I have a Debian Stretch system running a self-compiled version 4.7.3 of Samba. Having followed the Samba WiKi to allow AD users
to log onto the servers using PAM authentication, I now want to restrict access to specified group(s). So I created a linuxadmins
group and made some test users members of the group.
Initially I tried to restrict access by modifying /etc/security/access.conf and adding a file to /usr/share/pam-configs containing
Auth: required pam_access.so. This works OK for normal users, including AD users, but I cannot get it to work for AD groups. For
example, I wanted to deny Domain Users, but allow linuxadmins. I have tried all variations eg DOMAIN\Domain Users,
DOMAIN\\Domain Users, Domain Users, domain users; in quotes or not, with () as per the man page but cannot get this to work - ie
no matter what I enter all AD users are allowed to log in (using SSH).
Searching the net I found reference to the pam_winbind.conf file in /etc/security. This did not exist, so I created a file
containing the line: require_membership_of=DOMAIN\\linuxadmins but this has no effect. The man pages for pam_winbind and
pam_winbind.conf indicate it has been built for Samba v4.7 but states "is correct for version 3 of Samba". So I assume it's no
longer used for version 4?
On member servers, setting the user's shell to /bin/false in the Unix Attributes tab of ADUC will prevent access, but this doesn't
work for the DCs as this value is ignored.
So how can this be done?
To unsubscribe from this list go to the following URL and read the