Hi, I have a Debian Stretch system running a self-compiled version 4.7.3 of Samba. Having followed the Samba WiKi to allow AD users to log onto the servers using PAM authentication, I now want to restrict access to specified group(s). So I created a linuxadmins group and made some test users members of the group. Initially I tried to restrict access by modifying /etc/security/access.conf and adding a file to /usr/share/pam-configs containing Auth: required pam_access.so. This works OK for normal users, including AD users, but I cannot get it to work for AD groups. For example, I wanted to deny Domain Users, but allow linuxadmins. I have tried all variations eg DOMAIN\Domain Users, DOMAIN\\Domain Users, Domain Users, domain users; in quotes or not, with () as per the man page but cannot get this to work - ie no matter what I enter all AD users are allowed to log in (using SSH). Searching the net I found reference to the pam_winbind.conf file in /etc/security. This did not exist, so I created a file containing the line: require_membership_of=DOMAIN\\linuxadmins but this has no effect. The man pages for pam_winbind and pam_winbind.conf indicate it has been built for Samba v4.7 but states "is correct for version 3 of Samba". So I assume it's no longer used for version 4? On member servers, setting the user's shell to /bin/false in the Unix Attributes tab of ADUC will prevent access, but this doesn't work for the DCs as this value is ignored. So how can this be done? Many thanks, Roy
On Fri, 1 Dec 2017 17:06:42 -0000 Roy Eastwood via samba <samba at lists.samba.org> wrote:> Hi, > I have a Debian Stretch system running a self-compiled version 4.7.3 > of Samba. Having followed the Samba WiKi to allow AD users to log > onto the servers using PAM authentication, I now want to restrict > access to specified group(s). So I created a linuxadmins group and > made some test users members of the group. > > Initially I tried to restrict access by > modifying /etc/security/access.conf and adding a file > to /usr/share/pam-configs containing Auth: required pam_access.so. > This works OK for normal users, including AD users, but I cannot get > it to work for AD groups. For example, I wanted to deny Domain > Users, but allow linuxadmins. I have tried all variations eg > DOMAIN\Domain Users, DOMAIN\\Domain Users, Domain Users, domain > users; in quotes or not, with () as per the man page but cannot > get this to work - ie no matter what I enter all AD users are allowed > to log in (using SSH). > > Searching the net I found reference to the pam_winbind.conf file > in /etc/security. This did not exist, so I created a file > containing the line: require_membership_of=DOMAIN\\linuxadmins but > this has no effect. The man pages for pam_winbind and > pam_winbind.conf indicate it has been built for Samba v4.7 but states > "is correct for version 3 of Samba". So I assume it's no longer > used for version 4? > > On member servers, setting the user's shell to /bin/false in the Unix > Attributes tab of ADUC will prevent access, but this doesn't work for > the DCs as this value is ignored. > > So how can this be done? > > Many thanks, > > Roy > >try adding the 'require_membership_of' line to the winbind auth line in PAM. Rowland
> -----Original Message----- > From: Rowland Penny [mailto:rpenny at samba.org] > Sent: 01 December 2017 17:40 > To: samba at lists.samba.org > Cc: Roy Eastwood > Subject: Re: [Samba] Restricting AD group logging on to Servers > > On Fri, 1 Dec 2017 17:06:42 -0000 > Roy Eastwood via samba <samba at lists.samba.org> wrote: > > > Hi, > > I have a Debian Stretch system running a self-compiled version 4.7.3 > > of Samba. Having followed the Samba WiKi to allow AD users to log > > onto the servers using PAM authentication, I now want to restrict > > access to specified group(s). So I created a linuxadmins group and > > made some test users members of the group. > > > > Initially I tried to restrict access by > > modifying /etc/security/access.conf and adding a file > > to /usr/share/pam-configs containing Auth: required pam_access.so. > > This works OK for normal users, including AD users, but I cannot get > > it to work for AD groups. For example, I wanted to deny Domain > > Users, but allow linuxadmins. I have tried all variations eg > > DOMAIN\Domain Users, DOMAIN\\Domain Users, Domain Users, domain > > users; in quotes or not, with () as per the man page but cannot > > get this to work - ie no matter what I enter all AD users are allowed > > to log in (using SSH). > > > > Searching the net I found reference to the pam_winbind.conf file > > in /etc/security. This did not exist, so I created a file > > containing the line: require_membership_of=DOMAIN\\linuxadmins but > > this has no effect. The man pages for pam_winbind and > > pam_winbind.conf indicate it has been built for Samba v4.7 but states > > "is correct for version 3 of Samba". So I assume it's no longer > > used for version 4? > > > > On member servers, setting the user's shell to /bin/false in the Unix > > Attributes tab of ADUC will prevent access, but this doesn't work for > > the DCs as this value is ignored. > > > > So how can this be done? > > > > Many thanks, > > > > Roy > > > > > > try adding the 'require_membership_of' line to the winbind auth line in > PAM. > > RowlandThanks Rowland, that did the trick and is the simplest solution. Found that only one \ was required to separate the domain part from the group name part - ie DOMAIN\linuxadmins rather than DOMAIN\\linuxadmins. (the man page for pam_winbind.conf suggests two \\ are needed). Regards, Roy