Re: [Samba] Restricting AD group logging on to Servers
- Date: Sat, 2 Dec 2017 11:06:41 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Restricting AD group logging on to Servers
On Sat, 2 Dec 2017 09:15:02 -0000
Roy Eastwood via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > > > try adding the 'require_membership_of' line to the winbind auth
> > > > line in PAM.
> > > > Rowland
> > > Thanks Rowland, that did the trick and is the simplest solution.
> > >
> > > Found that only one \ was required to separate the domain part
> > > from the group name part - ie DOMAIN\linuxadmins rather than
> > > DOMAIN\\linuxadmins. (the man page for pam_winbind.conf
> > > suggests two \\ are needed)
> > Just one thing on that. Remember that this is not checked by SSH
> > for authorized_keys based logins, it is run on the password
> > checking path only. As long as they can't add such keys (no home
> > dir) that is fine, but just be aware.
> > I take it you have set a template shell and that is why you have
> > access at all?
> > Thanks,
> > Andrew Bartlett
> Thanks for pointing this out - I hadn't realised that. Yes I have
> set a template in smb.conf for shell and home dir on the DCs but use
> the unix attributes in AD for member servers. So to prevent such
> logons, I should not set the home dir template or should I set it
> to /dev/null or similar non-existent dir?
I think Andrew has thrown you a curved ball here. By default on a DC,
the logon shell is /bin/false and the homedirectory is '/home/%D/%U.
That is, no users can log in, but if they could, they would get a
homedir in /home/DOMAIN/username. So, as far as a DC is concerned, if
you want anybody to logon, you must change the template shell
parameter, but this would allow any user to logon. If you change the
home dir template, this will also be used for all users, so if one
group cannot logon, no one can logon.
Your way of only allowing members of one group to logon is probably the
only way to go. If a user doesn't have a home dir created they cannot
logon and if they cannot logon, they will not get a home dir created,
so there will be nowhere to store any ssh keys.
To unsubscribe from this list go to the following URL and read the