similar to: locking down ssh when using winbind

Thanks to Anthony Ciarochi at Centeris for this solution. I have a Centos (Red Hat-based) server that is now accessible to AD users AND local users via ssh. I can control which AD groups can login using the syntax below. Red Hat-based distros use "pam_stack" in pam.d which is quite different than Debian's "include" based pam.d, cat /etc/pam.d/sshd #

I have a RHEL 6.3 machine successfully bound to AD using winbind, and commands like wbinfo -u and wbinfo -g output the users and groups. I can also log in as any AD user. The problem is, I can log on as any AD user. require_membership_of is being ignored. I can put in a valid group with no spaces in the name, a group by SID, and either way, everyone can log in. I've put this option in both

Hi all I am trying to get windows AD logins to work with Fedora 8/9 linux.I had the same setup working well with fedora 7 , but with fedora 8/9 the problem is whenever I do "getent passwd 'username'" the login shell is listed as /bin/false and users cannot login , even though I have set it to use template shell= /bin/bash in the smb.conf configuration file. Also I have made

<pre>I have a machine with the follow specs.<br /><br />Linux hermes.business.com 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 EDT 2005<br />i686 i686 i386 GNU/Linux<br /><br />pam-0.79-8<br />dovecot-0.99.14-4.fc4<br /><br />No one is able to receive e-mails due to authentication failures and yesterday afternoon<br />they were able to.<br

I have a couple of workstations that are perfect candidates for Linux at a client's location. The only think i am shaky on is getting CentOS 4.4 to integrate into the AD domain. Any tips links would be highly appreciated. -- My "Foundation" verse: Isa 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou

Hi, I'm running Plesk 11.0.9 on a Centos 5.5. A website on that box got hacked last week and malicious code got inserted into some html/php files. So I went to find out what happened... I found no back doors by using rkhunter or manually searching for suspicious files in /tmp, etc. No activity at all in the php logs at the time of the attack. I also analysed of course the system logs

Dear All, Is it possible to make any authorization (eg. checking of group membership) in case of GSSAPI authentication? Our dovecot authenticates the users against PAM and GSSAPI. In the PAM file I'm able to check if a user is a member of a selected (e.g mailreader) group. If the user is member, he can login otherwise not (see below). If the user has a valid Kerberos ticket and he

Hello, I have been using Fedora Core, Samba, and Active Directory to provide authentication services for Windows based users for a few years now, but as an experiment I wanted to accomplish the same service with SUSE 9.3 . I have been able to get this configuration to run successfully with RH9, FC1, FC2, FC3, and FC4 (buggy but works), but with SUSE I have stalled a bit. I feel I have

On Wed, 12 Jun 2024 09:00:47 +0200 Christian Naumer via samba <samba at lists.samba.org> wrote: > Am 11.06.24 um 19:37 schrieb Luis Peromarta via samba: > > Correct, and I have done so and explained extensively at the > > beginning to this thread. > > > > Question is: > > > > Should we stop telling people to provision with idmap_ldb:use > >

I have a laptop with fedora core 3 installed. I have an NT domain that I would like to use for all authentication (Linux and Windows). As a test I decided to focus on ssh authentication. I have completed the following: Created the smb.conf: [global] workgroup = DOMAIN_NAME server string = Linux Workstation log file = /var/log/samba/%m.log max log size = 50 security = domain

Tried single quotes on Domain Admins in the pam.d file as well as a backslash on the space with no effect. I've found several references that just say "no spaces in group names." Is there really no way to do this? Also, most references I find to using these lines in pam.d say that "sufficient" should work, but I'm finding that users in the named group can then log in

Hello All, I'm trying to set up linux ssh/shell authentication on a CentOS_6.2 server running smbd version 3.5.10-114 using winbind/smb/pam. We've done this successfully using the tdb backend but wanted users to get the same UID/GID on every machine. Switched to rid for the backend but users still got a foreign number for UID and their default group was always Domain Users. So I'm

I've setup a portable system (ubuntu 16.04) joined to my AD domain, that in their primary network works as expected. But in this 'COVID time', the portable start to roam around, and users say me that, suddenly after some days of use, get incredibly sloooowww... after that users reboot, and cannot get back in, login refused. I've setup a VPN, but clearly if users cannot login

Hi, Everybody, I have a couple of quick questions that I'm having a little of difficulty with. I'm guessing these will be pretty easy to answer. The first is; 1) Is it possible to deterministically set the domain name that will be used when the "winbind use default domain = Yes" option is configured in /etc/samba/smb.conf? I want to set a default domain, however I do not

Good Day, I am testing, in a lab environment, samba shares with ad authentication for access. My setup is as follows : * Windows 2008 RC2 * RHEL 5.9 * Windows 7 * Windows XP SP3 * Samba 3.0.33-3.39.el5_8 All machines, including the RHEL Server having been added to the Domain running on the Windows 2008 RC2 Server. As per the subject, when trying to connect, from XP or Win 7, to the shares I

This is more of a pam question then a samba question, but I thought I'd start here and see if I can get an answer. I've gotten pam_winbind.so working with gdm (on RHAT 8) using the following /etc/pam.d/gdm file. I've put + signs to show the lines I added I added to the stock RHAT 8 gdm pam def.: #%PAM-1.0 + auth sufficient /lib/security/pam_winbind.so + auth

I've installed SAMBA, Winbind etc and everything is working great for users to login with GDM using DOMAIN+username Although this is working, now I can no longer login as a generic Linux user (ex. root). The following is my GDM file from /etc/pam.d/gdm I wonder if someone might have a suggestion as to what it's missing to allow Linux users to login? #%PAM-1.0 auth required

I'm running CentOS 4.3 with the most recent samba-client and samba-common rpms. I've managed to configure samba/winbind to allow me to join the box to the AD, create the UID and GID mappings, etc. However, when I try to connect via ssh, the account cannot log in. /var/log/messages says the following: Sep 5 17:15:25 kdcdmz sshd[6263]: error: Could not get shadow information for

Hi all, I have been trying to setup authentication of users on a Linux server against Windows server 2003 using winbind. I am at the point where an su - ADUSERNAME works, but sshing as that user still doesn't work. When I try to ssh as an AD user as follows: ssh -l "RILINUX+testuser" server.domain.com I get the following output in /var/log/messages: server pam_winbind[5906]:

Hi, I was using Samba 3.0.9 on Fedora Core 2 and decided to upgrade to 3.0.10. So I upgrade to Core 3 and installed Samba 3.0.10 and thought I could just copy my settings over to the new build and everything would run smoothly. I thought wrong. Everything seems fine until I enable Obey Pam Restrictions. If enabled I get a login error from XP stating: " Windows cannot locate your