I am using a member server with AD as my source of accounts. ssh logins work great. Yesterday, one of my students wanted to see what a fork bomb was and so now I need to place ulimits on place. Attempts to use AD domain groups fail. So I'm not sure this is an issue for samba+winbind or for /etc/security/limits.conf and pam. Here's what I have added in limits.conf # -- fix fork bomb issue -- @"Domain Users" soft nproc 20 @"Domain Users" hard nproc 20 And here is what I have in pam.d/common-session session required pam_limits.so -- I'm pretty sure the pam stuff is correct because I was able to set nproc limits on a non-domain user. But I'm wondering if we can set limits to AD provided groups. Any advice? -- David Bear mobile: (602) 903-6476
On 25/11/15 20:43, David Bear wrote:> I am using a member server with AD as my source of accounts. ssh logins > work great. > > Yesterday, one of my students wanted to see what a fork bomb was and so now > I need to place ulimits on place. Attempts to use AD domain groups fail. So > I'm not sure this is an issue for samba+winbind or for > /etc/security/limits.conf and pam. > > Here's what I have added in limits.conf > > # -- fix fork bomb issue -- > @"Domain Users" soft nproc 20 > @"Domain Users" hard nproc 20 > > And here is what I have in pam.d/common-session > > session required pam_limits.so > > -- > I'm pretty sure the pam stuff is correct because I was able to set nproc > limits on a non-domain user. > > But I'm wondering if we can set limits to AD provided groups. Any advice? > >Never tried, but does 'getent group Domain\ Users' return anything ? Rowland
seems to work : ------------------------------ getent group 'Domain Users' domain users:x:10513: ------------------------------ I'm wondering of the settings that pam makes happen before winbind is ready? On Wed, Nov 25, 2015 at 2:10 PM, Rowland Penny <rowlandpenny241155 at gmail.com> wrote:> On 25/11/15 20:43, David Bear wrote: > >> I am using a member server with AD as my source of accounts. ssh logins >> work great. >> >> Yesterday, one of my students wanted to see what a fork bomb was and so >> now >> I need to place ulimits on place. Attempts to use AD domain groups fail. >> So >> I'm not sure this is an issue for samba+winbind or for >> /etc/security/limits.conf and pam. >> >> Here's what I have added in limits.conf >> >> # -- fix fork bomb issue -- >> @"Domain Users" soft nproc 20 >> @"Domain Users" hard nproc 20 >> >> And here is what I have in pam.d/common-session >> >> session required pam_limits.so >> >> -- >> I'm pretty sure the pam stuff is correct because I was able to set nproc >> limits on a non-domain user. >> >> But I'm wondering if we can set limits to AD provided groups. Any advice? >> >> >> > Never tried, but does 'getent group Domain\ Users' return anything ? > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- David Bear mobile: (602) 903-6476