Displaying 20 results from an estimated 900 matches similar to: "require_membership_of is ignored"
2013 Aug 22
1
Not Obeying "require_membership_of" winbind.so when "User must change password at next logon"
Okay, so I have an Active Directory server running on Windows Server 2012 Standard
I have configured Samba/Kerberos/Winbind on Ubuntu 13.04 to bind to the DC properly.
I am able to login with my Active Directory users credentials.
When I use the 'require_membership_of' option in pam.d/common-auth for winbind.so using the SID of the group I want to restrict access to, it works like a charm.
2006 Sep 22
1
ssh login through AD solution
Thanks to Anthony Ciarochi at Centeris for this solution.
I have a Centos (Red Hat-based) server that is now accessible to AD users
AND local users via ssh. I can control which AD groups can login using the
syntax below. Red Hat-based distros use "pam_stack" in pam.d which is quite
different than Debian's "include" based pam.d,
cat /etc/pam.d/sshd
#
2018 Jun 01
2
GSSAPI vs group check
Dear All,
Is it possible to make any authorization (eg. checking of group
membership) in case of GSSAPI authentication?
Our dovecot authenticates the users against PAM and GSSAPI. In the PAM
file I'm able to check if a user is a member of a selected (e.g
mailreader) group. If the user is member, he can login otherwise not
(see below). If the user has a valid Kerberos ticket and he
2009 Sep 16
1
locking down ssh when using winbind
Hi all,
I'm using samba with winbind which has been integrated with Active
Directory.
In the smb.conf file, I have
template shell = /bin/bash
winbind use default domain = yes
to allow ssh but I don't want all the domain users to be able to ssh.
Is there a way to only allow for example) domain\ssh_group which is an
active directory group to be able to ssh into the server?
This is my
2008 Jan 03
1
require_membership_of being ignored?
Hi, I'm setting up a Gentoo samba server for home directories on a 2003 ADS
network.
I've decided to use pam_mkhomedir.to have the fileserver automagically create
their home when they first log in. But we don't want everyone to log in, just
the members of the AD group filesurfer-users.
The problem: Regardless of what I put as a require_membership_of= in the samba
pam file, any domain
2011 Jun 17
2
Restricting logins using pam_winbind require_membership_of ?
Hi.
I have some shares on a server that are offered to specific Active Directory
user groups, but the business doesn't want those users to be able to login
to the server. If I were to add "require_membership_of" to pam_winbind to
limit logins and shut out the users I don't want, would it also have the
side effect of denying those users access to the shares as well?
Regards,
2020 Jul 28
2
kerberos ticket on login problem
I'm experimenting with smb + winbind.
My host is joined to AD and I can login to my host fine using my AD
credentials via SSH.?? The only issue is that I don't get a Kerberos
ticket generated.
In /etc/security/pam_winbind.conf I have:
krb5_auth = yes
krb5_ccache_type = KEYRING
In /etc/krb5.conf, I also have:
default_ccache_name = KEYRING:persistent:%{uid}
Using wbinfo -K jas, then
2012 May 31
1
Tangential Issue: idmap backend = ad and Active Directory 2008R2
Tried single quotes on Domain Admins in the pam.d file as well as a backslash on the space with no effect. I've found several references that just say "no spaces in group names." Is there really no way to do this?
Also, most references I find to using these lines in pam.d say that "sufficient" should work, but I'm finding that users in the named group can then log in
2012 May 29
4
idmap backend = ad and Active Directory 2008R2
Hello All,
I'm trying to set up linux ssh/shell authentication on a CentOS_6.2 server
running smbd version 3.5.10-114 using winbind/smb/pam. We've done this
successfully using the tdb backend but wanted users to get the same UID/GID
on every machine. Switched to rid for the backend but users still got a
foreign number for UID and their default group was always Domain Users. So
I'm
2020 Sep 11
4
Winbind offline cache and strangeness...
I've setup a portable system (ubuntu 16.04) joined to my AD domain,
that in their primary network works as expected.
But in this 'COVID time', the portable start to roam around, and users
say me that, suddenly after some days of use, get incredibly
sloooowww... after that users reboot, and cannot get back in, login
refused.
I've setup a VPN, but clearly if users cannot login
2008 Aug 06
1
winbindd behaving oddly
Hello folks,
Been beating my head with an winbind and pam just behaving oddly. I have following
various HOW-TO's, wiki's, and docs, and just can't seem to get past a wall. Here a
some of the issues:
- the 1st attempt at ssh'ing to a server gives me a 'Wrong Password' in the logs. Here's
an exact snippet:
Aug 6 18:45:40 mia21654bcu001 sshd[5371]: pam_winbind(sshd):
2013 Nov 28
4
SSH - Winbind and Keybased Auth
Hi Team,
We have a weird issue that we are trying to understand. We have winbind set up and working successfully for user authentication with passwords via ssh. We have pam.d/system-auth-ac and password-auth-ac (symlinked) set to require membership of a group which works great via password authentication.
However, if the user has a ssh key set up, they seem to bypass the group membership
2012 Feb 20
1
A couple of quick questions
Hi, Everybody,
I have a couple of quick questions that I'm having a little of
difficulty with. I'm guessing these will be pretty easy to answer.
The first is;
1) Is it possible to deterministically set the domain name that will
be used when the "winbind use default domain = Yes" option is
configured in /etc/samba/smb.conf? I want to set a default domain,
however I do not
2008 Jun 04
1
Problem with Login Shell in User Information using Winbind
Hi all
I am trying to get windows AD logins to work with Fedora 8/9 linux.I had
the same setup working well with fedora 7 , but with fedora 8/9 the
problem is whenever I do "getent passwd 'username'" the login shell is
listed as /bin/false and users cannot login , even though I have set it
to use template shell= /bin/bash in the smb.conf configuration file.
Also I have made
2012 Aug 02
9
winbind: uid range is ignored
Hi everone.
Ubuntu 12.04 v3.6 clients with winbind joined to 12.04 Samba4 DC
Clients:
smb.conf
[global]
realm = polop.site
workgroup = POLOP
security = ADS
wide links = Yes
unix extensions = No
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
idmap uid = 300000-400000
idmap gid = 20000-30000
/etc/nsswitch.conf
passwd: compat winbind
group: compat
2020 Jul 29
1
kerberos ticket on login problem
On 7/28/2020 4:11 PM, Jason Keltz wrote:
>
> On 7/28/2020 3:59 PM, Jason Keltz via samba wrote:
>> I'm experimenting with smb + winbind.
>>
>> My host is joined to AD and I can login to my host fine using my AD
>> credentials via SSH.?? The only issue is that I don't get a Kerberos
>> ticket generated.
>>
>> In
2011 Aug 17
3
Bug#638152: Error: Device 51712 (vbd) could not be connected. Hotplug scripts not working.
Package: xen-utils-4.0
Version: 4.0.1-2
Severity: normal
This issue is similar to
http://lists.alioth.debian.org/pipermail/pkg-xen-devel/2011-March/003217.html
but since I was not able to find a bug report I'm reporting this now.
Steps to reproduce:
1) cat << EOF > config
name = 'squeeze64'
vcpus = '4'
memory = '512'
disk = [
2008 May 14
3
[Fwd: File Locking and Permissions Issue]
-------- Original Message --------
Subject: File Locking and Permissions Issue
Date: Wed, 14 May 2008 15:10:28 -0700
From: Jack Lauman <jlauman@nwcascades.com>
Organization: nwcascades.com
To: mailto:samba@lists.samba.org
I'm trying to get Lacerte 2007 Tax Accounting software working on a
Samba v3.0.28a based server. When one user is logged in it works fine.
When two or more users
2007 Nov 14
3
Sso the Linux way?
So I was googling around about this over the last week and here is what I
found:
nis/yp is for some reason bad.
Kerbos is holy, but no how-to's that don't involve windows and active
directory.
What is the recommended sso approach for centos? Where are there examples /
docs to follow?
Jason
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-
2020 Jun 16
2
Samba as a domain member:
Yes:
# getent group GROUP
group:x:17573:
# getent group group2
group2:x:11010:
# getent group GROUP3
group3:x:21178:
# wbinfo --group-info GROUP
group:x:17573:
# wbinfo -n GROUP
S-1-5-21-948789634-15155995-928725530-7573 SID_DOM_GROUP (2)