> -----Original Message----- > From: Rowland Penny [mailto:rpenny at samba.org] > Sent: 01 December 2017 17:40 > To: samba at lists.samba.org > Cc: Roy Eastwood > Subject: Re: [Samba] Restricting AD group logging on to Servers > > On Fri, 1 Dec 2017 17:06:42 -0000 > Roy Eastwood via samba <samba at lists.samba.org> wrote: > > > Hi, > > I have a Debian Stretch system running a self-compiled version 4.7.3 > > of Samba. Having followed the Samba WiKi to allow AD users to log > > onto the servers using PAM authentication, I now want to restrict > > access to specified group(s). So I created a linuxadmins group and > > made some test users members of the group. > > > > Initially I tried to restrict access by > > modifying /etc/security/access.conf and adding a file > > to /usr/share/pam-configs containing Auth: required pam_access.so. > > This works OK for normal users, including AD users, but I cannot get > > it to work for AD groups. For example, I wanted to deny Domain > > Users, but allow linuxadmins. I have tried all variations eg > > DOMAIN\Domain Users, DOMAIN\\Domain Users, Domain Users, domain > > users; in quotes or not, with () as per the man page but cannot > > get this to work - ie no matter what I enter all AD users are allowed > > to log in (using SSH). > > > > Searching the net I found reference to the pam_winbind.conf file > > in /etc/security. This did not exist, so I created a file > > containing the line: require_membership_of=DOMAIN\\linuxadmins but > > this has no effect. The man pages for pam_winbind and > > pam_winbind.conf indicate it has been built for Samba v4.7 but states > > "is correct for version 3 of Samba". So I assume it's no longer > > used for version 4? > > > > On member servers, setting the user's shell to /bin/false in the Unix > > Attributes tab of ADUC will prevent access, but this doesn't work for > > the DCs as this value is ignored. > > > > So how can this be done? > > > > Many thanks, > > > > Roy > > > > > > try adding the 'require_membership_of' line to the winbind auth line in > PAM. > > RowlandThanks Rowland, that did the trick and is the simplest solution. Found that only one \ was required to separate the domain part from the group name part - ie DOMAIN\linuxadmins rather than DOMAIN\\linuxadmins. (the man page for pam_winbind.conf suggests two \\ are needed). Regards, Roy
On Fri, 2017-12-01 at 18:04 +0000, Roy Eastwood via samba wrote:> > -----Original Message----- > > From: Rowland Penny [mailto:rpenny at samba.org] > > Sent: 01 December 2017 17:40 > > To: samba at lists.samba.org > > Cc: Roy Eastwood > > Subject: Re: [Samba] Restricting AD group logging on to Servers > > > > On Fri, 1 Dec 2017 17:06:42 -0000 > > Roy Eastwood via samba <samba at lists.samba.org> wrote: > > > > > Hi, > > > I have a Debian Stretch system running a self-compiled version 4.7.3 > > > of Samba. Having followed the Samba WiKi to allow AD users to log > > > onto the servers using PAM authentication, I now want to restrict > > > access to specified group(s). So I created a linuxadmins group and > > > made some test users members of the group. > > > > > > Initially I tried to restrict access by > > > modifying /etc/security/access.conf and adding a file > > > to /usr/share/pam-configs containing Auth: required pam_access.so. > > > This works OK for normal users, including AD users, but I cannot get > > > it to work for AD groups. For example, I wanted to deny Domain > > > Users, but allow linuxadmins. I have tried all variations eg > > > DOMAIN\Domain Users, DOMAIN\\Domain Users, Domain Users, domain > > > users; in quotes or not, with () as per the man page but cannot > > > get this to work - ie no matter what I enter all AD users are allowed > > > to log in (using SSH). > > > > > > Searching the net I found reference to the pam_winbind.conf file > > > in /etc/security. This did not exist, so I created a file > > > containing the line: require_membership_of=DOMAIN\\linuxadmins but > > > this has no effect. The man pages for pam_winbind and > > > pam_winbind.conf indicate it has been built for Samba v4.7 but states > > > "is correct for version 3 of Samba". So I assume it's no longer > > > used for version 4? > > > > > > On member servers, setting the user's shell to /bin/false in the Unix > > > Attributes tab of ADUC will prevent access, but this doesn't work for > > > the DCs as this value is ignored. > > > > > > So how can this be done? > > > > > > Many thanks, > > > > > > Roy > > > > > > > > > > try adding the 'require_membership_of' line to the winbind auth line in > > PAM. > > > > Rowland > > Thanks Rowland, that did the trick and is the simplest solution. > > Found that only one \ was required to separate the domain part from the group name part - ie DOMAIN\linuxadmins rather than > DOMAIN\\linuxadmins. (the man page for pam_winbind.conf suggests two \\ are needed)Just one thing on that. Remember that this is not checked by SSH for authorized_keys based logins, it is run on the password checking path only. As long as they can't add such keys (no home dir) that is fine, but just be aware. I take it you have set a template shell and that is why you have access at all? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
[snip]> > > try adding the 'require_membership_of' line to the winbind auth line in > > > PAM.> > > Rowland > > Thanks Rowland, that did the trick and is the simplest solution. > > > > Found that only one \ was required to separate the domain part from the group name part - ie DOMAIN\linuxadmins rather than > > DOMAIN\\linuxadmins. (the man page for pam_winbind.conf suggests two \\ are needed) > > Just one thing on that. Remember that this is not checked by SSH for > authorized_keys based logins, it is run on the password checking path > only. As long as they can't add such keys (no home dir) that is fine, > but just be aware. > > I take it you have set a template shell and that is why you have access > at all? > > Thanks, > > Andrew Bartlett >Thanks for pointing this out - I hadn't realised that. Yes I have set a template in smb.conf for shell and home dir on the DCs but use the unix attributes in AD for member servers. So to prevent such logons, I should not set the home dir template or should I set it to /dev/null or similar non-existent dir? Thanks, Roy