samba - Feb 2006 - How to control who can log into the samba box

Hello,
 
I have samba set up using winbind so that I can ssh into the box with
my DOMAIN\mylogin.  That's great...kind of.  How do  I control which
users can login to the box?  As it stands now, all users in DOMAIN can
log in, which is not desireable.  Do I need to map domain groups to unix
groups? Do I need to map domain users to the box some how?  Even if I do
that, how do I then set it up so some users can log into the server and
others cannot?  
 
 
 
David Shapiro
Unix Team Lead
919-765-2011

David Shapiro wrote:
>  
> I have samba set up using winbind so that I can ssh into the box with
> my DOMAIN\mylogin.  That's great...kind of.  How do  I control which
> users can login to the box?
I usually do that by reconfiguring sshd for key-only authentication 
(that is, disable password based auth).  Configure samba to hide or veto 
the ssh authorized_keys file, and you alone will have access to add keys 
for the users to whom you want to grant login privileges.

Do you have an example of the hide/veto option you used and sshd_config
mod you did to do this?  
 
David
 
David Shapiro
Unix Team Lead
919-765-2011
>>> Gordon Messmer <yinyang@eburg.com> 2/21/2006 12:01:32 PM
>>>
David Shapiro wrote:
>  
> I have samba set up using winbind so that I can ssh into the box
with
> my DOMAIN\mylogin.  That's great...kind of.  How do  I control which
> users can login to the box?
I usually do that by reconfiguring sshd for key-only authentication 
(that is, disable password based auth).  Configure samba to hide or
veto 
the ssh authorized_keys file, and you alone will have access to add
keys 
for the users to whom you want to grant login privileges.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

On 2/20/06, David Shapiro <David.Shapiro@bcbsnc.com>
wrote:
> I have samba set up using winbind so that I can ssh into the box with
> my DOMAIN\mylogin.  That's great...kind of.  How do  I control which
> users can login to the box?  As it stands now, all users in DOMAIN can
> log in, which is not desireable.  Do I need to map domain groups to unix
> groups? Do I need to map domain users to the box some how?  Even if I do
> that, how do I then set it up so some users can log into the server and
> others cannot?
You should be able to use sshd_config's AllowUsers, DenyUsers,
AllowGroups, and DenyGroups to do this.

Josh Kelley

Edit the /etc/security/access.conf file.  I had the same problem, but I
changed this file to allow only memembers of an AD group to log in
remotely.

-----Original Message-----
From: samba-bounces+michael.parker=lithonia.com@lists.samba.org
[mailto:samba-bounces+michael.parker=lithonia.com@lists.samba.org] On
Behalf Of David Shapiro
Sent: Monday, February 20, 2006 3:29 PM
To: samba@lists.samba.org
Subject: [Samba] How to control who can log into the samba box

Hello,
 
I have samba set up using winbind so that I can ssh into the box with
my DOMAIN\mylogin.  That's great...kind of.  How do  I control which
users can login to the box?  As it stands now, all users in DOMAIN can
log in, which is not desireable.  Do I need to map domain groups to unix
groups? Do I need to map domain users to the box some how?  Even if I do
that, how do I then set it up so some users can log into the server and
others cannot?  
 
 
 
David Shapiro
Unix Team Lead
919-765-2011
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

David Shapiro wrote:
> Do you have an example of the hide/veto option you used and sshd_config 
> mod you did to do this? 
In smb.conf, you can use:

veto files = /.ssh/

In sshd_config, you can set:

PasswordAuthentication no

Make sure you've put keys for your own account on the system, and are 
able to log in and su to root, before you make the latter change.