Hi, list. I'm running samba-3.5.4 + winbind on a RHEL 5 server. I'm trying to allow ssh logins to users in a particular Active Directory group in the TESTDOMAIN domain. My problem is that group membership seems to be updated when the user logs in. So, if a remove a user from the allowed group, the first login attempt is successful. This is my samba/winbind configuration: [global] workgroup = TESTDOMAIN password server = server1.testdomain server2.testdomain realm = test.domain encrypt passwords = yes netbios name = TESTSERVER security = ads ; idmap uid = 10000 - 20000 ; idmap gid = 10000 - 20000 idmap backend = tdb idmap uid = 1000000-1999999 idmap gid = 1000000-1999999 idmap config TESTDOMAIN : backend = rid idmap config TESTDOMAIN : range = 10000 - 49999 idmap config TRUSTED : backend = rid idmap config TRUSTED : range = 50000 - 99999 idmap config TRUSTED : base_rid = 1000 winbind separator = + template homedir = /home/%D/%U template shell = /bin/bash winbind use default domain = false winbind offline logon = false auth methods = winbind log level = 3 allow trusted domains = no winbind enum users = yes winbind enum groups = yes idmap cache time = 30 winbind cache time = 10 nscd is not running, just in case it matters. Any hint? -- Luis Marqueta <luis at marqueta.org>
On Thu, Feb 16, 2012 at 10:38:05AM +0100, Luis Marqueta wrote:> Hi, list. > > I'm running samba-3.5.4 + winbind on a RHEL 5 server. I'm trying to > allow ssh logins to users in a particular Active Directory group in the > TESTDOMAIN domain. > > My problem is that group membership seems to be updated when the user > logs in. So, if a remove a user from the allowed group, the first login > attempt is successful.Hmmmm. I see. Is this a generic pam issue ? Doesn't pam get the group list for the user after a successful authentication (would seem like no sense doing it before) ? Jeremy.