You can restrict access to specific local and domain groups:
#account required pam_stack.so service=system-auth
account sufficient pam_succeed_if.so user ingroup users
account sufficient pam_succeed_if.so user ingroup webdevelopers
Check here for more info:
http://linux.die.net/man/8/pam_succeed_if
Andrew Philipoff
Infrastructure Coordinator
Information Systems
Department of Medicine, UCSF
-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Luv Linux
Sent: Wednesday, September 16, 2009 4:14 PM
To: samba at lists.samba.org
Subject: [Samba] locking down ssh when using winbind
Hi all,
I'm using samba with winbind which has been integrated with Active
Directory.
In the smb.conf file, I have
template shell = /bin/bash
winbind use default domain = yes
to allow ssh but I don't want all the domain users to be able to ssh.
Is there a way to only allow for example) domain\ssh_group which is an
active directory group to be able to ssh into the server?
This is my current pam.d/sshd file:
auth required pam_nologin.so
auth sufficient pam_stack.so service=system-auth
auth sufficient pam_winbind.so
account sufficient pam_stack.so service=system-auth
account sufficient pam_winbind.so
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3579 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20090916/78729e8c/attachment.bin>