Re: [Samba] Restricting AD group logging on to Servers
- Date: Fri, 1 Dec 2017 18:04:49 -0000
- From: Roy Eastwood via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Restricting AD group logging on to Servers
> -----Original Message-----
> From: Rowland Penny [mailto:rpenny@xxxxxxxxx]
> Sent: 01 December 2017 17:40
> To: samba@xxxxxxxxxxxxxxx
> Cc: Roy Eastwood
> Subject: Re: [Samba] Restricting AD group logging on to Servers
> On Fri, 1 Dec 2017 17:06:42 -0000
> Roy Eastwood via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > Hi,
> > I have a Debian Stretch system running a self-compiled version 4.7.3
> > of Samba. Having followed the Samba WiKi to allow AD users to log
> > onto the servers using PAM authentication, I now want to restrict
> > access to specified group(s). So I created a linuxadmins group and
> > made some test users members of the group.
> > Initially I tried to restrict access by
> > modifying /etc/security/access.conf and adding a file
> > to /usr/share/pam-configs containing Auth: required pam_access.so.
> > This works OK for normal users, including AD users, but I cannot get
> > it to work for AD groups. For example, I wanted to deny Domain
> > Users, but allow linuxadmins. I have tried all variations eg
> > DOMAIN\Domain Users, DOMAIN\\Domain Users, Domain Users, domain
> > users; in quotes or not, with () as per the man page but cannot
> > get this to work - ie no matter what I enter all AD users are allowed
> > to log in (using SSH).
> > Searching the net I found reference to the pam_winbind.conf file
> > in /etc/security. This did not exist, so I created a file
> > containing the line: require_membership_of=DOMAIN\\linuxadmins but
> > this has no effect. The man pages for pam_winbind and
> > pam_winbind.conf indicate it has been built for Samba v4.7 but states
> > "is correct for version 3 of Samba". So I assume it's no longer
> > used for version 4?
> > On member servers, setting the user's shell to /bin/false in the Unix
> > Attributes tab of ADUC will prevent access, but this doesn't work for
> > the DCs as this value is ignored.
> > So how can this be done?
> > Many thanks,
> > Roy
> try adding the 'require_membership_of' line to the winbind auth line in
Thanks Rowland, that did the trick and is the simplest solution.
Found that only one \ was required to separate the domain part from the group name part - ie DOMAIN\linuxadmins rather than
DOMAIN\\linuxadmins. (the man page for pam_winbind.conf suggests two \\ are needed).
To unsubscribe from this list go to the following URL and read the