search for: require_membership_of

...for home directories on a 2003 ADS network. I've decided to use pam_mkhomedir.to have the fileserver automagically create their home when they first log in. But we don't want everyone to log in, just the members of the AD group filesurfer-users. The problem: Regardless of what I put as a require_membership_of= in the samba pam file, any domain user can log in and a home directory is created. I've attached a copy of /etc/pam.d/samba and /etc/samba/smb.conf. Any help would be greatly appreciated. /etc/pam.d/samba: ---------------------------------------------------------------------- #%PAM-1.0 # R...

Yes: # getent group GROUP group:x:17573: # getent group group2 group2:x:11010: # getent group GROUP3 group3:x:21178: # wbinfo --group-info GROUP group:x:17573: # wbinfo -n GROUP S-1-5-21-948789634-15155995-928725530-7573 SID_DOM_GROUP (2)

Hi. I have some shares on a server that are offered to specific Active Directory user groups, but the business doesn't want those users to be able to login to the server. If I were to add "require_membership_of" to pam_winbind to limit logins and shut out the users I don't want, would it also have the side effect of denying those users access to the shares as well? Regards, John

I have a RHEL 6.3 machine successfully bound to AD using winbind, and commands like wbinfo -u and wbinfo -g output the users and groups. I can also log in as any AD user. The problem is, I can log on as any AD user. require_membership_of is being ignored. I can put in a valid group with no spaces in the name, a group by SID, and either way, everyone can log in. I've put this option in both /etc/pam.d/system-auth and /etc/security/pam_winbind.conf and any user can log in. Any suggestions, or advice on how I can better troubles...

...with pWare's compiled SSH 5.2.1.0. 2. Authorization (e.g., who can log into the box ... NOT just all of AD). I'm pretty good at configuring Winbind on Linux, and on Linux there's a pam_winbind.conf file that I usually use to lock down the box to specific AD users or groups -- I use the require_membership_of line and it works just fine. Unfortunately, I don't see any pam_winbind.conf file in AIX by default. I've tried placing it in /etc/security/ or in other locations, but it doesn't seem to be used. I've also tried adding pam_winbind lines to the /etc/pam.conf and manually adding t...

Okay, so I have an Active Directory server running on Windows Server 2012 Standard I have configured Samba/Kerberos/Winbind on Ubuntu 13.04 to bind to the DC properly. I am able to login with my Active Directory users credentials. When I use the 'require_membership_of' option in pam.d/common-auth for winbind.so using the SID of the group I want to restrict access to, it works like a charm. There is a drawback to using this it seems. When I go into my AD server and check the box marked "User must change password at next logon" then that user, regard...

Release Announcements --------------------- Samba 4.1.3, 4.0.13 and 3.6.22 have been issued as security releases in order to address CVE-2013-4408 (DCE-RPC fragment length field is incorrectly checked) and CVE-2012-6150 (pam_winbind login without require_membership_of restrictions). o CVE-2013-4408: Samba versions 3.4.0 and above (versions 3.4.0 - 3.4.17, 3.5.0 - 3.5.22, 3.6.0 - 3.6.21, 4.0.0 - 4.0.12 and including 4.1.2) are vulnerable to buffer overrun exploits in the client processing of DCE-RPC packets. This is due to incorrect checking of the...

Release Announcements --------------------- Samba 4.1.3, 4.0.13 and 3.6.22 have been issued as security releases in order to address CVE-2013-4408 (DCE-RPC fragment length field is incorrectly checked) and CVE-2012-6150 (pam_winbind login without require_membership_of restrictions). o CVE-2013-4408: Samba versions 3.4.0 and above (versions 3.4.0 - 3.4.17, 3.5.0 - 3.5.22, 3.6.0 - 3.6.21, 4.0.0 - 4.0.12 and including 4.1.2) are vulnerable to buffer overrun exploits in the client processing of DCE-RPC packets. This is due to incorrect checking of the...

...in quotes or not, with () as per the man page but cannot get this to work - ie no matter what I enter all AD users are allowed to log in (using SSH). Searching the net I found reference to the pam_winbind.conf file in /etc/security. This did not exist, so I created a file containing the line: require_membership_of=DOMAIN\\linuxadmins but this has no effect. The man pages for pam_winbind and pam_winbind.conf indicate it has been built for Samba v4.7 but states "is correct for version 3 of Samba". So I assume it's no longer used for version 4? On member servers, setting the user's shel...

...> > get this to work - ie no matter what I enter all AD users are allowed > > to log in (using SSH). > > > > Searching the net I found reference to the pam_winbind.conf file > > in /etc/security. This did not exist, so I created a file > > containing the line: require_membership_of=DOMAIN\\linuxadmins but > > this has no effect. The man pages for pam_winbind and > > pam_winbind.conf indicate it has been built for Samba v4.7 but states > > "is correct for version 3 of Samba". So I assume it's no longer > > used for version 4? > &g...

...6 18:45:40 mia21654bcu001 sshd[5371]: pam_winbind(sshd): request failed: Wrong Password, PAM error was Authentication failure (7), NT error was NT_STATUS_WRONG_PASSWORD I get this w/o even entering a password. If I break out and just hit it 2 more times it will lock the account out as expected. - require_membership_of seems to be flat out ignored. it will work if I have one group, and put it in the 'auth' section of the system-auth file but I have multiple groups. If I put mutiple groups under the 'auth' section it will try to authenticate for each group and lock the account out if the password i...

I was looking at the documentation at samba.org and it says the following: require_membership_of=[SID or NAME] If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID can be either a group-SID, a alias-SID or even a user-SID. It is also possible to give a NAME instead of the SID. That name must have the form: /|MYDOMAIN\mygroup|/ or /|M...

...lickey for nathan from 1.2.3.4 port 61767 ssh2 System-auth-ac: [root at testbox01 pam.d]# cat system-auth-ac auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_winbind.so debug debug_state use_first_pass require_membership_of=testbox02_access_sg, testbox02_2_access_sg auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_winbind.so debug debug_state require_membership...

Hi All, I am using samba-common-3.0.10-1.4E.9 on a RHEL4_U4 x86 machine. The ADS server is WS03 sp1 running in Windows Server 2003 interim mode. In general thing are working well. However, when winbind caching is enabled (default), group membership does not appear to update, i.e. "wbinfo -r bob" and "groups bob" don't reflect changes in ADS group membership.

...per the man page but cannot > get this to work - ie no matter what I enter all AD users are allowed > to log in (using SSH). > > Searching the net I found reference to the pam_winbind.conf file > in /etc/security. This did not exist, so I created a file > containing the line: require_membership_of=DOMAIN\\linuxadmins but > this has no effect. The man pages for pam_winbind and > pam_winbind.conf indicate it has been built for Samba v4.7 but states > "is correct for version 3 of Samba". So I assume it's no longer > used for version 4? > > On member server...

...- ie no matter what I enter all AD users are allowed > > > to log in (using SSH). > > > > > > Searching the net I found reference to the pam_winbind.conf file > > > in /etc/security. This did not exist, so I created a file > > > containing the line: require_membership_of=DOMAIN\\linuxadmins but > > > this has no effect. The man pages for pam_winbind and > > > pam_winbind.conf indicate it has been built for Samba v4.7 but states > > > "is correct for version 3 of Samba". So I assume it's no longer > > > used fo...

...d this up (now they are commented out). I might need to "leave" the domain, remove the tlb files and re-join (with the OTHERDOMAIN entries in smb.conf commented out)? I'm asking because I have two older systems (same distro, same packages, but older versions) that work fine with 'require_membership_of=GROUP'. On these systems, the smb.conf is different (configured at least a year ago): samba-4.5.10 (also built with system-mitkrb5) [global] workgroup = DOMAIN server role = standalone server printcap name = cups load printers = yes log file = /var/log/samba/log.%m max log s...

...to be running samba 3.0.25b, both are members of an active directory domain . There are 7 domain controllers in total, and there are a largish number of users: approximately 34,000. I am only allowing users that belong to a certain group to log in, selecting in /etc/security/pam_winbind.conf with require_membership_of=[GROUP SID]. I also have this same group named in /etc/sudoers with a line similar to: %Name\ Of\ My\ Group ALL=(ALL) ALL (note that I am using a group name with spaces in it, though it states in docs this is a no-no it seems to work, initially at least - more on that later) The first iss...

...openvpn config to see if my misconfiguration is here or there. openvpn uses: plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn-ivpn My pam.d config is: # cat /etc/pam.d/openvpn-ivpn #%PAM-1.0 # $Id$ auth required pam_env.so auth sufficient pam_winbind.so require_membership_of=GROUP auth sufficient pam_unix.so likeauth nullok use_first_pass auth required pam_deny.so account sufficient pam_winbind.so require_membership_of=GROUP account required pam_unix.so password required pam_cracklib.so retry=3 password sufficient p...

...ed KEYRING.? I don't know if wbinfo automatically writes to FILE or whether it reads pam_winbind.conf and should be writing to KEYRING). If I remove the file, and ssh to the system, I don't get a Kerberos ticket. I know the pam_winbind.conf file is being read on login because the "require_membership_of" line I'm using works. Any thoughts? Jason.