Hiya, I'm trying to set up a Samba PDC with an LDAP backend. I experienced problems joining machines to domains, the machine account was created, but Windows said user name cannot be found. I resolved this by adding ldap to /etc/nsswitch.conf, but this has the side effect of allowing ldap users to login to the server via SSH. Whilst I can understand the need for LDAP users to be accessible to the system, i.e. checkpwnam etc for permisisons, I don't want users to be able to login to anywhere except the client Windows 2000/XP boxes. People (only 3) who can login via SSH already have "real" user accounts in /etc/passwd etc. Is there a way to stop this being allowed? Thanks. Ben
Hi, On 12/4/06, Ben Wheare <samba-users@bwgames.net> wrote:> Hiya, > > I'm trying to set up a Samba PDC with an LDAP backend. > I experienced problems joining machines to domains, the machine account > was created, but Windows said user name cannot be found. > I resolved this by adding ldap to /etc/nsswitch.conf, but this has the > side effect of allowing ldap users to login to the server via SSH. > Whilst I can understand the need for LDAP users to be accessible to the > system, i.e. checkpwnam etc for permisisons, I don't want users to be > able to login to anywhere except the client Windows 2000/XP boxes. > > People (only 3) who can login via SSH already have "real" user accounts > in /etc/passwd etc. > > Is there a way to stop this being allowed? >Check your sshd (/etc/ssh/sshd_config) configuration, specially the AllowUsers and/or AllowGroups options. -- Carlos Eduardo Pedroza Santiviago
If you dont want some users to be able to login using their posix accounts give to them a null shell, put /bin/false in the shell attribute. I dont know what distribution do you use or what is the default of idealx scripts, but in Debian, smbldap-tools (the packaged idealx scripts) does that by default. That way any access that requires a shell will not work for these users. Regards. Edmundo Valle Neto Ben Wheare escreveu:> Hiya, > > I'm trying to set up a Samba PDC with an LDAP backend. > I experienced problems joining machines to domains, the machine > account was created, but Windows said user name cannot be found. > I resolved this by adding ldap to /etc/nsswitch.conf, but this has the > side effect of allowing ldap users to login to the server via SSH. > Whilst I can understand the need for LDAP users to be accessible to > the system, i.e. checkpwnam etc for permisisons, I don't want users to > be able to login to anywhere except the client Windows 2000/XP boxes. > > People (only 3) who can login via SSH already have "real" user > accounts in /etc/passwd etc. > > Is there a way to stop this being allowed? > > Thanks. > Ben
Hi, Carlos Eduardo Pedroza Santiviago schrieb:>> People (only 3) who can login via SSH already have "real" user accounts >> in /etc/passwd etc.You don`t need to create special "real" user accounts, like you call them. Restrict sshd with AllowGroups, AllowUsers, DenyGroups and/or DenyUsers. Also you can set the "loginShell"-attribute in LDAP to /bin/false for users who don`t need a shell. Best regards Marc -- Marc Muehlfeld Zentrum fuer Humangenetik und Laboratoriumsmedizin Dr. Klein und Dr. Rost Lochhamer Str. 29 - D-82152 Martinsried Telefon: +49(0)89/895578-0 - Fax: +49(0)89/895578-78 http://www.medizinische-genetik.de
On 05/12/2006, at 4:28 AM, Ben Wheare wrote:> Hiya, > > I'm trying to set up a Samba PDC with an LDAP backend. > I experienced problems joining machines to domains, the machine > account was created, but Windows said user name cannot be found. > I resolved this by adding ldap to /etc/nsswitch.conf, but this has > the side effect of allowing ldap users to login to the server via SSH. > Whilst I can understand the need for LDAP users to be accessible to > the system, i.e. checkpwnam etc for permisisons, I don't want users > to be able to login to anywhere except the client Windows 2000/XP > boxes. > > People (only 3) who can login via SSH already have "real" user > accounts in /etc/passwd etc.Do these people have multiple user accounts? (one for samba and one for their "real" one?) ... I would consider it a bad idea to do so (IMHO).> Is there a way to stop this being allowed?The way I achieve this (since in my setup I'm the only person who is allowed to log into the linux boxes) is to make sure all other users have no password entry in the ldap database (note: they have the samba passowrd entries, just not the posix one), and to make sure their home folder is /dev/null and their login shell is /bin/false. I think if there's also probably a shadow option that disables the posix account (haven't checked yet) - since my method may be able to be bypassed by a user executing a given command at the ssh command line - actually I'll look into that as soon as I get into work today. I'm not sure if doing that would actually prevent samba from using the account for SMB purposes. -- Matt Skerritt matt.skerritt@agrav.net