Marco Gaiarin
2025-Nov-06 08:31 UTC
[Samba] PAM, Winbind, SSH and 'require_membership_of' in a forest...
We need to setup some samba member servers (RH/Oracle Linux, but i think it does not matter too much...) joined to an MS AD forest (5 domains in forest). We are trying to configure SSH access to server, and the first try was to use sshd_config 'AllowGroups', but we have found some sort of 'chicken and egg' trouble, so users have to had done a successful logon to have group correctly enumerated and so be able to logon. A simple solution seems to NOT use 'AllowGroups' and add (in /etc/security/pam_winbind.conf or in pam_configuration, see later): require_membership_of=<our administration SID or group name> looking at manpage seems to me that this parameters (even added in /etc/security/pam_winbind.conf) is taken into account only in 'password' PAM context, eg all group are taken into account for, eg, most notably 'session' PAM context. Anyway, i'm asking here if: 1) this is the correct solution, or there's other solution for this 'chicken and egg' trouble in group enumeration 2) it is correct to add to 'require_membership_of' to /etc/security/pam_winbind.conf or it is preferable to add only to ssh pam configuration (clearly in 'password' context). Thanks. --