[snip]> > > try adding the 'require_membership_of' line to the winbind auth line in > > > PAM.> > > Rowland > > Thanks Rowland, that did the trick and is the simplest solution. > > > > Found that only one \ was required to separate the domain part from the group name part - ie DOMAIN\linuxadmins rather than > > DOMAIN\\linuxadmins. (the man page for pam_winbind.conf suggests two \\ are needed) > > Just one thing on that. Remember that this is not checked by SSH for > authorized_keys based logins, it is run on the password checking path > only. As long as they can't add such keys (no home dir) that is fine, > but just be aware. > > I take it you have set a template shell and that is why you have access > at all? > > Thanks, > > Andrew Bartlett >Thanks for pointing this out - I hadn't realised that. Yes I have set a template in smb.conf for shell and home dir on the DCs but use the unix attributes in AD for member servers. So to prevent such logons, I should not set the home dir template or should I set it to /dev/null or similar non-existent dir? Thanks, Roy
On Sat, 2 Dec 2017 09:15:02 -0000 Roy Eastwood via samba <samba at lists.samba.org> wrote:> [snip] > > > > try adding the 'require_membership_of' line to the winbind auth > > > > line in PAM. > > > > > Rowland > > > Thanks Rowland, that did the trick and is the simplest solution. > > > > > > Found that only one \ was required to separate the domain part > > > from the group name part - ie DOMAIN\linuxadmins rather than > > > DOMAIN\\linuxadmins. (the man page for pam_winbind.conf > > > suggests two \\ are needed) > > > > Just one thing on that. Remember that this is not checked by SSH > > for authorized_keys based logins, it is run on the password > > checking path only. As long as they can't add such keys (no home > > dir) that is fine, but just be aware. > > > > I take it you have set a template shell and that is why you have > > access at all? > > > > Thanks, > > > > Andrew Bartlett > > > Thanks for pointing this out - I hadn't realised that. Yes I have > set a template in smb.conf for shell and home dir on the DCs but use > the unix attributes in AD for member servers. So to prevent such > logons, I should not set the home dir template or should I set it > to /dev/null or similar non-existent dir? > > Thanks, > > Roy > >I think Andrew has thrown you a curved ball here. By default on a DC, the logon shell is /bin/false and the homedirectory is '/home/%D/%U. That is, no users can log in, but if they could, they would get a homedir in /home/DOMAIN/username. So, as far as a DC is concerned, if you want anybody to logon, you must change the template shell parameter, but this would allow any user to logon. If you change the home dir template, this will also be used for all users, so if one group cannot logon, no one can logon. Your way of only allowing members of one group to logon is probably the only way to go. If a user doesn't have a home dir created they cannot logon and if they cannot logon, they will not get a home dir created, so there will be nowhere to store any ssh keys. Rowland
> > > Just one thing on that. Remember that this is not checked by SSH > > > for authorized_keys based logins, it is run on the password > > > checking path only. As long as they can't add such keys (no home > > > dir) that is fine, but just be aware. > > > > > > I take it you have set a template shell and that is why you have > > > access at all? > > > > > > Thanks, > > > > > > Andrew Bartlett > > > > > Thanks for pointing this out - I hadn't realised that. Yes I have > > set a template in smb.conf for shell and home dir on the DCs but use > > the unix attributes in AD for member servers. So to prevent such > > logons, I should not set the home dir template or should I set it > > to /dev/null or similar non-existent dir? > > > > Thanks, > > > > Roy > > > > > > I think Andrew has thrown you a curved ball here. By default on a DC, > the logon shell is /bin/false and the homedirectory is '/home/%D/%U. > That is, no users can log in, but if they could, they would get a > homedir in /home/DOMAIN/username. So, as far as a DC is concerned, if > you want anybody to logon, you must change the template shell > parameter, but this would allow any user to logon. If you change the > home dir template, this will also be used for all users, so if one > group cannot logon, no one can logon. > > Your way of only allowing members of one group to logon is probably the > only way to go. If a user doesn't have a home dir created they cannot > logon and if they cannot logon, they will not get a home dir created, > so there will be nowhere to store any ssh keys. > > Rowland >Hi Rowland, Thanks for clarifying that. However if I set the template homedir in smb.conf to /dev/null the user can still log on, and an error message is displayed, but the user is left at the root of the filing system (/). Maybe I have some setting incorrect? So I did some tests. 1) I set up a test user. This user is not a member of linuxadmins, so should not be able to log on to the servers using ssh (or at the console). 2) Set the users unix home directory to be the same as in AD for windows. 3) Logged on to a Windows computer using the test user's credentials. 4) Used PuttyGen to generate public and private keys for use with ssh. 5) Created the folder .ssh in the user's home folder on the server. 6) copied the public key to the authorized_keys file in the user's .ssh folder. I found I was able to log on to the server with ssh using the keys! The solution therefore is to ensure the user doesn't have a (unix) home folder (or one that's inaccessible to the user from the network) as Andrew suggests. Along with the required group membership should ensure only those authorised to connect will be able to do so. Thanks again to Andrew and Rowland. I think I understand it now! ;-) Roy
Mandi! Roy Eastwood via samba In chel di` si favelave...> or should I set it to /dev/null or similar non-existent dir?Pay a little attention to that. If you set an invalid shell for users, in newer debian this can lead to minor trouble (eg; if you run scripts for users with 'su', they did not work or you have to run with explicit shell). I prefere to have all users with valid shell, and act elsewhere (eg, in SSH in 'authorized-groups'). -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Thanks Marco, see inline comments below.> -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Marco Gaiarin via samba > Sent: 04 December 2017 08:38 > To: samba at lists.samba.org > Subject: Re: [Samba] Restricting AD group logging on to Servers > > Mandi! Roy Eastwood via samba > In chel di` si favelave... > > > or should I set it to /dev/null or similar non-existent dir? > > Pay a little attention to that. > > If you set an invalid shell for users, in newer debian this can lead to > minor trouble (eg; if you run scripts for users with 'su', they did not work or > you have to run with explicit shell). >This was not for the shell, but for the homedir setting - to prevent a user logging on with key authentication (nowhere for the user to save a public key).> > I prefere to have all users with valid shell, and act elsewhere (eg, in > SSH in 'authorized-groups'). > > -- > dott. Marco Gaiarin GNUPG Key ID: 240A3D66Regards, Roy