-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Matt,
On 09/22/2006 01:24 PM, Matt Herzog escreveu:> Thanks to Anthony Ciarochi at Centeris for this solution.
>
> I have a Centos (Red Hat-based) server that is now accessible to AD users
> AND local users via ssh. I can control which AD groups can login using the
> syntax below. Red Hat-based distros use "pam_stack" in pam.d
which is quite
> different than Debian's "include" based pam.d,
>
> cat /etc/pam.d/sshd
> # ----------------------------------------------------------------------
> #%PAM-1.0
> auth required pam_stack.so service=system-auth
> auth required pam_nologin.so
> account sufficient pam_succeed_if.so user ingroup sshlogin
> account sufficient pam_succeed_if.so user ingroup wheel
> password required pam_stack.so service=system-auth
> session required pam_stack.so service=system-auth
> session required pam_loginuid.so
> session sufficient pam_mkhomedir.so skel=/etc/skel umask=0027
> # ----------------------------------------------------------------------
>
> The critical lines are:
>
> account sufficient pam_succeed_if.so user ingroup sshlogin
>
> The above is to allow an AD group "sshlogin" to ssh in.
>
> account sufficient pam_succeed_if.so user ingroup wheel
>
> The above allows anyone in the *local machine* unix group "wheel"
to ssh in.
>
> session sufficient pam_mkhomedir.so skel=/etc/skel umask=0027
>
> The above creates home dirs and dot files for AD users when they login for
> the first time.
Could you add that information to the wiki?
http://wiki.samba.org
Kind regards,
- --
Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
iD8DBQFFGBS+Cj65ZxU4gPQRArUBAKC9flCDxXXirUC9qeEeqnCSIT0WgACgsrIG
X7Llvj5ONPRoV9RsW2N6FVI=7vQ2
-----END PGP SIGNATURE-----