Heinz Allerberger
2016-Apr-05 17:30 UTC
[Samba] SerNet - Samba 4.3 and ssh password logins
Hi everyone, I have a SerNet-Samba 4.3.6-10 AD which works fine. Now I try to implement a fileserver. It is a server with a lot of (old)-users, which have an Unix-Account. On this server are also users who should can login from the Internet over ssh. But now I'm running in trouble with the security of my fileserver. When I would install samba 4.3.6 on it and activate sernet-samba-client with winbind. Every user can login over ssh with his Windows-AD-password. This seems dangerous for me. I could live with this, but then it should be possible, that I can deny the ssh-login for some users who should not have the possibility to login from the Internet. But this users should be able to login into the domain with a windows-machine on the AD. How can I do that? Please don't be worry about my English. I'm German and it is not my mean language. Regards, Heinz
On Tue, 5 Apr 2016, Heinz Allerberger wrote:> Now I try to implement a fileserver. It is a server with a lot of > (old)-users, which have an Unix-Account. On this server are also users who > should can login from the Internet over ssh. > > But now I'm running in trouble with the security of my fileserver. > When I would install samba 4.3.6 on it and activate sernet-samba-client with > winbind. Every user can login over ssh with his Windows-AD-password. This > seems dangerous for me. > > I could live with this, but then it should be possible, that I can deny the > ssh-login for some users who should not have the possibility to login from > the Internet. But this users should be able to login into the domain with a > windows-machine on the AD.If you just want to prevent logins via ssh, you can configure sshd to only allow certain groups to log in (man sshd, see AllowGroups), then put your local ssh users in said group. This would also let you allow certain AD users to log in as well, if you wanted to do so in the future. If there are other services on the system that Windows users might be able to authenticate to as well, you might look into doing this with PAM instead. It would probably be a bit more complicated, but it can apply to whatever services you want that way. Alternatively, and I haven't tested this, but you could _probably_ also do it by removing winbind from the shadow: line in /etc/nsswitch.conf. I believe smbd only uses the system to look up uid/gids (so you still need it in the passwd: and group: lines), other than that it talks to winbind or the DC directly for user authentication.
On 05/04/16 18:30, Heinz Allerberger wrote:> Hi everyone, > > I have a SerNet-Samba 4.3.6-10 AD which works fine. > > Now I try to implement a fileserver. It is a server with a lot of > (old)-users, which have an Unix-Account. On this server are also users > who should can login from the Internet over ssh. > > But now I'm running in trouble with the security of my fileserver. > When I would install samba 4.3.6 on it and activate > sernet-samba-client with winbind. Every user can login over ssh with > his Windows-AD-password. This seems dangerous for me. > > I could live with this, but then it should be possible, that I can > deny the ssh-login for some users who should not have the possibility > to login from the Internet. But this users should be able to login > into the domain with a windows-machine on the AD. > > How can I do that? > > Please don't be worry about my English. I'm German and it is not my > mean language. > > Regards, > Heinz >You could take a look at pam_access, see 'man pam_access' Rowland
Thats pretty simple todo. Create a group on windows, add the allowed users in it. Add AllowGroups YourADGroup In sshd_config Restart ssh. You want unix and windows groups. AllowGroups YourADGroup YourLinuxGroup Adduser Linuxgroup ( for the linux servers ) Greet, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Heinz Allerberger > Verzonden: dinsdag 5 april 2016 19:31 > Aan: samba at lists.samba.org > Onderwerp: [Samba] SerNet - Samba 4.3 and ssh password logins > > Hi everyone, > > I have a SerNet-Samba 4.3.6-10 AD which works fine. > > Now I try to implement a fileserver. It is a server with a lot of > (old)-users, which have an Unix-Account. On this server are also users > who should can login from the Internet over ssh. > > But now I'm running in trouble with the security of my fileserver. > When I would install samba 4.3.6 on it and activate sernet-samba-client > with winbind. Every user can login over ssh with his > Windows-AD-password. This seems dangerous for me. > > I could live with this, but then it should be possible, that I can deny > the ssh-login for some users who should not have the possibility to > login from the Internet. But this users should be able to login into the > domain with a windows-machine on the AD. > > How can I do that? > > Please don't be worry about my English. I'm German and it is not my mean > language. > > Regards, > Heinz > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Heinz Allerberger
2016-Apr-11 12:09 UTC
[Samba] SerNet - Samba 4.3 and ssh password logins
Dear members of the samba-list, dear Luis, unfortunately it doesn't work. I believe, I do not understand the way I have to do it with the parameter AllowGroups into the ssh_config. I tried different ways to restrict Windows(Samba)-Users the login with ssh: =============================================1.) Into the sshd_config AllowUsers root mysamba-user /etc/init.d/ssh restart ...this works! Nobody else as root and mysamba-user can logon with ssh 2.) Into the sshd_config AllowGroups Into /etc/group ssh:x:105:mysamba-user /etc/init.d/ssh restart ...this doesnt work! 3.) Into sshd_config AllowGroups samba-tool group addmembers AllowGroups mysamba-user /etc/init.d/ssh restart ...this doesn't work! 4.) Into sshd_config AllowGroups AllowGroups samba-tool group addmembers AllowGroups mysamba-user /etc/init.d/ssh restart ...this doesn't work! Please could anybody tell me what I'm doing wrong? Regards, Heinz Am 06.04.2016 um 07:58 schrieb L.P.H. van Belle:> Thats pretty simple todo. > > Create a group on windows, add the allowed users in it. > Add > AllowGroups YourADGroup > In sshd_config > Restart ssh. > > You want unix and windows groups. > AllowGroups YourADGroup YourLinuxGroup > > Adduser Linuxgroup ( for the linux servers ) > > > Greet, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Heinz Allerberger >> Verzonden: dinsdag 5 april 2016 19:31 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] SerNet - Samba 4.3 and ssh password logins >> >> Hi everyone, >> >> I have a SerNet-Samba 4.3.6-10 AD which works fine. >> >> Now I try to implement a fileserver. It is a server with a lot of >> (old)-users, which have an Unix-Account. On this server are also users >> who should can login from the Internet over ssh. >> >> But now I'm running in trouble with the security of my fileserver. >> When I would install samba 4.3.6 on it and activate sernet-samba-client >> with winbind. Every user can login over ssh with his >> Windows-AD-password. This seems dangerous for me. >> >> I could live with this, but then it should be possible, that I can deny >> the ssh-login for some users who should not have the possibility to >> login from the Internet. But this users should be able to login into the >> domain with a windows-machine on the AD. >> >> How can I do that? >> >> Please don't be worry about my English. I'm German and it is not my mean >> language. >> >> Regards, >> Heinz >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >-- Mit freundlichen Grüßen Heinz Allerberger Systemadministration Klinikum der J.W.Goethe Universität Zentrum Neurologie u. Neurochirurgie Schleusenweg 2-16 D-60528 Frankfurt am Main Mobile: 0157-76401339 Tel: 069/6301-4274 Fax: 069/6301-6842 Please don't print this e-mail unless you really need to! Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Hai, I have AllowGroups sshlinux, sshwindows Add at least 1 user in the linux group and at least 1 in the sshwindows group. Make sure the sshwindows group have a GID. And make sure the windows user loggin in in ssh als have a UID. AND for both, UID 1000+ ( which is in debian the default PAM setting ) . This is base on a "MEMBER" server. If you do : getent windowsuser You get uid gid homedir and shell ? and these are ok to login? If yes, is the home dir local on the server or shared ? If shares and IF kerberos base nfsv4 then you need some more. But first above, else im lots in al mails.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Heinz Allerberger > Verzonden: maandag 11 april 2016 14:10 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] SerNet - Samba 4.3 and ssh password logins > > Dear members of the samba-list, dear Luis, > > unfortunately it doesn't work. I believe, I do not understand the way I > have to do it with the parameter AllowGroups into the ssh_config. > > I tried different ways to restrict Windows(Samba)-Users the login with > ssh: > =============================================> 1.) Into the sshd_config > AllowUsers root mysamba-user > /etc/init.d/ssh restart > > ...this works! > Nobody else as root and mysamba-user can logon with ssh > > 2.) Into the sshd_config > AllowGroups > > Into /etc/group > ssh:x:105:mysamba-user > > /etc/init.d/ssh restart > ...this doesnt work! > > 3.) Into sshd_config > AllowGroups > > samba-tool group addmembers AllowGroups mysamba-user > /etc/init.d/ssh restart > ...this doesn't work! > > 4.) Into sshd_config > AllowGroups AllowGroups > samba-tool group addmembers AllowGroups mysamba-user > /etc/init.d/ssh restart > ...this doesn't work! > > Please could anybody tell me what I'm doing wrong? > > Regards, > Heinz > > > > > Am 06.04.2016 um 07:58 schrieb L.P.H. van Belle: > > Thats pretty simple todo. > > > > Create a group on windows, add the allowed users in it. > > Add > > AllowGroups YourADGroup > > In sshd_config > > Restart ssh. > > > > You want unix and windows groups. > > AllowGroups YourADGroup YourLinuxGroup > > > > Adduser Linuxgroup ( for the linux servers ) > > > > > > Greet, > > > > Louis > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Heinz > Allerberger > >> Verzonden: dinsdag 5 april 2016 19:31 > >> Aan: samba at lists.samba.org > >> Onderwerp: [Samba] SerNet - Samba 4.3 and ssh password logins > >> > >> Hi everyone, > >> > >> I have a SerNet-Samba 4.3.6-10 AD which works fine. > >> > >> Now I try to implement a fileserver. It is a server with a lot of > >> (old)-users, which have an Unix-Account. On this server are also users > >> who should can login from the Internet over ssh. > >> > >> But now I'm running in trouble with the security of my fileserver. > >> When I would install samba 4.3.6 on it and activate sernet-samba-client > >> with winbind. Every user can login over ssh with his > >> Windows-AD-password. This seems dangerous for me. > >> > >> I could live with this, but then it should be possible, that I can deny > >> the ssh-login for some users who should not have the possibility to > >> login from the Internet. But this users should be able to login into > the > >> domain with a windows-machine on the AD. > >> > >> How can I do that? > >> > >> Please don't be worry about my English. I'm German and it is not my > mean > >> language. > >> > >> Regards, > >> Heinz > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > Mit freundlichen Grüßen > > Heinz Allerberger > Systemadministration > Klinikum der J.W.Goethe Universität > Zentrum Neurologie u. Neurochirurgie > Schleusenweg 2-16 > D-60528 Frankfurt am Main > > Mobile: 0157-76401339 > Tel: 069/6301-4274 > Fax: 069/6301-6842 > > Please don't print this e-mail unless you really need to! > > Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte > Informationen. > Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich > erhalten haben, > informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. > Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist > nicht gestattet. > > This e-mail may contain confidential and/or privileged information. > If you are not the intended recipient (or have received this e-mail in > error) > please notify the sender immediately and destroy this e-mail. > Any unauthorised copying, disclosure or distribution of the material in > this e-mail is strictly forbidden. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Setup PAM to use winbind on this fileserver, see https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#Authenticating_Domain_users_via_PAM for the details. You can restrict access to AD group "linuxusers" by replacing pam_winbind.so with pam_winbind.so require_membership_of=linuxusers in the auth configuration. regards, Marcel 2016-04-05 19:30 GMT+02:00 Heinz Allerberger < allerberger at em.uni-frankfurt.de>:> Hi everyone, > > I have a SerNet-Samba 4.3.6-10 AD which works fine. > > Now I try to implement a fileserver. It is a server with a lot of > (old)-users, which have an Unix-Account. On this server are also users who > should can login from the Internet over ssh. > > But now I'm running in trouble with the security of my fileserver. > When I would install samba 4.3.6 on it and activate sernet-samba-client > with winbind. Every user can login over ssh with his Windows-AD-password. > This seems dangerous for me. > > I could live with this, but then it should be possible, that I can deny > the ssh-login for some users who should not have the possibility to login > from the Internet. But this users should be able to login into the domain > with a windows-machine on the AD. > > How can I do that? > > Please don't be worry about my English. I'm German and it is not my mean > language. > > Regards, > Heinz > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >