Web lists-archives.com

Re: [Samba] Restricting AD group logging on to Servers




On Fri, 1 Dec 2017 17:06:42 -0000
Roy Eastwood via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi,
> I have a Debian Stretch system running a self-compiled version 4.7.3
> of Samba.     Having followed the Samba WiKi to allow AD users to log
> onto the servers using PAM authentication, I now want to restrict
> access to specified group(s).   So I created a linuxadmins group and
> made some test users members of the group.
> 
> Initially I tried to restrict access by
> modifying /etc/security/access.conf and adding a file
> to /usr/share/pam-configs containing Auth: required pam_access.so.
> This works OK for normal users, including AD users, but I cannot get
> it to work for AD groups.   For example, I wanted to deny Domain
> Users, but allow linuxadmins.     I have tried all variations eg
> DOMAIN\Domain Users, DOMAIN\\Domain Users, Domain Users, domain
> users;    in quotes or not, with () as per the man page but cannot
> get this to work - ie no matter what I enter all AD users are allowed
> to log in (using SSH).
> 
> Searching the net I found reference to the pam_winbind.conf file
> in /etc/security.    This did not exist, so I created a file
> containing the line: require_membership_of=DOMAIN\\linuxadmins   but
> this has no effect.   The man pages for pam_winbind and
> pam_winbind.conf indicate it has been built for Samba v4.7 but states
> "is correct for version 3 of Samba".   So I assume it's no longer
> used for version 4?
> 
> On member servers, setting the user's shell to /bin/false in the Unix
> Attributes tab of ADUC will prevent access, but this doesn't work for
> the DCs as this value is ignored.
> 
> So how can this be done?  
> 
> Many thanks,
> 
> Roy
> 
> 

try adding the 'require_membership_of' line to the winbind auth line in
PAM.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba