Marco Gaiarin
2025-Nov-10 11:06 UTC
[Samba] [Repost] PAM, Winbind, SSH and 'require_membership_of' in a forest...
[I retry... still no feedback... thanks...]
We need to setup some samba member servers (RH/Oracle Linux, but i think it
does not matter too much...) joined to an MS AD forest (5 domains in
forest).
We are trying to configure SSH access to server, and the first try was to
use sshd_config 'AllowGroups', but we have found some sort of
'chicken and
egg' trouble, so users have to had done a successful logon to have group
correctly enumerated and so be able to logon.
A simple solution seems to NOT use 'AllowGroups' and add (in
/etc/security/pam_winbind.conf or in pam_configuration, see later):
require_membership_of=<our administration SID or group name>
looking at manpage seems to me that this parameters (even added in
/etc/security/pam_winbind.conf) is taken into account only in 'password'
PAM
context, eg all group are taken into account for, eg, most notably
'session'
PAM context.
Anyway, i'm asking here if:
1) this is the correct solution, or there's other solution for this
'chicken and
egg' trouble in group enumeration
2) it is correct to add to 'require_membership_of' to
/etc/security/pam_winbind.conf
or it is preferable to add only to ssh pam configuration (clearly in
'password' context).
Thanks.
--
Stefan Kania
2025-Nov-10 16:05 UTC
[Samba] [Repost] PAM, Winbind, SSH and 'require_membership_of' in a forest...
To get AllowGroups to work, you mast set "winbind expand groups =1" if you are using nested groups increase the number. Am 10.11.25 um 12:06 schrieb Marco Gaiarin via samba:> > [I retry... still no feedback... thanks...] > > We need to setup some samba member servers (RH/Oracle Linux, but i think it > does not matter too much...) joined to an MS AD forest (5 domains in > forest). > > We are trying to configure SSH access to server, and the first try was to > use sshd_config 'AllowGroups', but we have found some sort of 'chicken and > egg' trouble, so users have to had done a successful logon to have group > correctly enumerated and so be able to logon. > > > A simple solution seems to NOT use 'AllowGroups' and add (in > /etc/security/pam_winbind.conf or in pam_configuration, see later): > > require_membership_of=<our administration SID or group name> > > looking at manpage seems to me that this parameters (even added in > /etc/security/pam_winbind.conf) is taken into account only in 'password' PAM > context, eg all group are taken into account for, eg, most notably 'session' > PAM context. > > > Anyway, i'm asking here if: > > 1) this is the correct solution, or there's other solution for this 'chicken and > egg' trouble in group enumeration > > 2) it is correct to add to 'require_membership_of' to /etc/security/pam_winbind.conf > or it is preferable to add only to ssh pam configuration (clearly in > 'password' context). > > > Thanks. >-------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20251110/e6f37814/OpenPGP_signature.sig>
Stefan Kania
2025-Nov-10 16:16 UTC
[Samba] [Repost] PAM, Winbind, SSH and 'require_membership_of' in a forest...
And if you want, you can add your publickeys to AD so you don't have to copy your publickey to all your servers. See here for more: https://www.samba-book.com/2025/11/10/how-to-add-ssh-publickeys-to-samba-ad/ Am 10.11.25 um 12:06 schrieb Marco Gaiarin via samba:> > [I retry... still no feedback... thanks...] > > We need to setup some samba member servers (RH/Oracle Linux, but i think it > does not matter too much...) joined to an MS AD forest (5 domains in > forest). > > We are trying to configure SSH access to server, and the first try was to > use sshd_config 'AllowGroups', but we have found some sort of 'chicken and > egg' trouble, so users have to had done a successful logon to have group > correctly enumerated and so be able to logon. > > > A simple solution seems to NOT use 'AllowGroups' and add (in > /etc/security/pam_winbind.conf or in pam_configuration, see later): > > require_membership_of=<our administration SID or group name> > > looking at manpage seems to me that this parameters (even added in > /etc/security/pam_winbind.conf) is taken into account only in 'password' PAM > context, eg all group are taken into account for, eg, most notably 'session' > PAM context. > > > Anyway, i'm asking here if: > > 1) this is the correct solution, or there's other solution for this 'chicken and > egg' trouble in group enumeration > > 2) it is correct to add to 'require_membership_of' to /etc/security/pam_winbind.conf > or it is preferable to add only to ssh pam configuration (clearly in > 'password' context). > > > Thanks. >-------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20251110/310ff016/OpenPGP_signature.sig>