You shouldn't need to define a domain, sshusers should be sufficient. Did you restart sshd?
Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF ________________________________________ From: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org] On Behalf Of Luv Linux [luvlinux2...@gmail.com] Sent: Wednesday, September 16, 2009 6:16 PM To: samba@lists.samba.org Subject: Re: [Samba] locking down ssh when using winbind Thanks Andrew, The file didn't have the line = account required pam_stack.so service=system-auth so changed it to the following, group's name in AD is domain\sshusers btw so I'm not sure if I have to input it as domain\sshusers or sshusers. But doesn't seem to work... What did I do wrong?: #auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so account sufficient pam_succeed_if.so user ingroup sshusers #account sufficient pam_stack.so service=system-auth account sufficient pam_winbind.so password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_loginuid.so On Wed, Sep 16, 2009 at 4:48 PM, Philipoff, Andrew < aphilip...@medicine.ucsf.edu> wrote: > You can restrict access to specific local and domain groups: > > #account required pam_stack.so service=system-auth > account sufficient pam_succeed_if.so user ingroup users > account sufficient pam_succeed_if.so user ingroup webdevelopers > > Check here for more info: > http://linux.die.net/man/8/pam_succeed_if > > Andrew Philipoff > Infrastructure Coordinator > Information Systems > Department of Medicine, UCSF > > > -----Original Message----- > From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] > On Behalf Of Luv Linux > Sent: Wednesday, September 16, 2009 4:14 PM > To: samba@lists.samba.org > Subject: [Samba] locking down ssh when using winbind > > Hi all, > > I'm using samba with winbind which has been integrated with Active > Directory. > In the smb.conf file, I have > template shell = /bin/bash > winbind use default domain = yes > > to allow ssh but I don't want all the domain users to be able to ssh. > > Is there a way to only allow for example) domain\ssh_group which is an > active directory group to be able to ssh into the server? > > This is my current pam.d/sshd file: > auth required pam_nologin.so > auth sufficient pam_stack.so service=system-auth > auth sufficient pam_winbind.so > account sufficient pam_stack.so service=system-auth > account sufficient pam_winbind.so > password required pam_stack.so service=system-auth > session required pam_stack.so service=system-auth > session required pam_loginuid.so > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba