Thanks for your help. I got it working. I've moved the "account sufficient pam_succeed_if.so user ingroup line" to the top and moved the "auth include system-auth" to below it. I've verified that the domain users not belonging to the group could not ssh in while any Linux local users could.
On Thu, Sep 17, 2009 at 12:46 PM, Philipoff, Andrew < aphilip...@medicine.ucsf.edu> wrote: > Your /etc/pam.d/sshd looks different from mine. I'm running RHEL 5.4 with > the Red Hat compiled Samba v3.0.33-3.14.el5. My /etc/pam.d/sshd looks like: > > auth include system-auth > account required pam_nologin.so > #account include system-auth > account sufficient pam_succeed_if.so user ingroup users > account sufficient pam_succeed_if.so user ingroup webdevelopers > password include system-auth > session optional pam_keyinit.so force revoke > session include system-auth > session required pam_loginuid.so > > Once I got this working I did the following: > 1. Created a /home/DOMAIN_NAME folder for home directories. > 2. To auto-create home directories I checked the "create home directories > on > the first login" checkbox of the options tab of > system-config-authentication. In previous RHEL releases I added "session > required pam_mkhomedir.so skel=/etc/skel umask=0022" to > /etc/pam.d/system-auth-ac to auto-create home directories in > /home/DOMAIN_NAME. > > Andrew Philipoff > Infrastructure Coordinator > Information Systems > Department of Medicine, UCSF > Phone 415-476-1344 > > > -----Original Message----- > From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] > On Behalf Of Luv Linux > Sent: Thursday, September 17, 2009 10:44 AM > To: samba@lists.samba.org > Subject: Re: [Samba] locking down ssh when using winbind > > Yes I have. I've also restarted smb and winbind but I'm still able to ssh > in using other domain user accounts > that are not in the specified group sshusers. > Does my sshd file look to be correct? > > On Wed, Sep 16, 2009 at 9:30 PM, Philipoff, Andrew < > aphilip...@medicine.ucsf.edu> wrote: > > > You shouldn't need to define a domain, sshusers should be sufficient. Did > > you restart sshd? > > > > Andrew Philipoff > > Infrastructure Coordinator > > Information Systems > > Department of Medicine, UCSF > > > > ________________________________________ > > From: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org] On > > Behalf Of Luv Linux [luvlinux2...@gmail.com] > > Sent: Wednesday, September 16, 2009 6:16 PM > > To: samba@lists.samba.org > > Subject: Re: [Samba] locking down ssh when using winbind > > > > Thanks Andrew, > > > > The file didn't have the line = account required pam_stack.so > > service=system-auth > > so changed it to the following, group's name in AD is domain\sshusers btw > > so > > I'm not sure if I have to input it as domain\sshusers or sshusers. But > > doesn't seem to work... What did I do wrong?: > > #auth required pam_nologin.so > > auth sufficient pam_stack.so service=system-auth > > auth sufficient pam_winbind.so > > account sufficient pam_succeed_if.so user ingroup sshusers > > #account sufficient pam_stack.so service=system-auth > > account sufficient pam_winbind.so > > password required pam_stack.so service=system-auth > > session required pam_stack.so service=system-auth > > session required pam_loginuid.so > > > > On Wed, Sep 16, 2009 at 4:48 PM, Philipoff, Andrew < > > aphilip...@medicine.ucsf.edu> wrote: > > > > > You can restrict access to specific local and domain groups: > > > > > > #account required pam_stack.so service=system-auth > > > account sufficient pam_succeed_if.so user ingroup users > > > account sufficient pam_succeed_if.so user ingroup webdevelopers > > > > > > Check here for more info: > > > http://linux.die.net/man/8/pam_succeed_if > > > > > > Andrew Philipoff > > > Infrastructure Coordinator > > > Information Systems > > > Department of Medicine, UCSF > > > > > > > > > -----Original Message----- > > > From: samba-boun...@lists.samba.org [mailto: > > samba-boun...@lists.samba.org] > > > On Behalf Of Luv Linux > > > Sent: Wednesday, September 16, 2009 4:14 PM > > > To: samba@lists.samba.org > > > Subject: [Samba] locking down ssh when using winbind > > > > > > Hi all, > > > > > > I'm using samba with winbind which has been integrated with Active > > > Directory. > > > In the smb.conf file, I have > > > template shell = /bin/bash > > > winbind use default domain = yes > > > > > > to allow ssh but I don't want all the domain users to be able to ssh. > > > > > > Is there a way to only allow for example) domain\ssh_group which is an > > > active directory group to be able to ssh into the server? > > > > > > This is my current pam.d/sshd file: > > > auth required pam_nologin.so > > > auth sufficient pam_stack.so service=system-auth > > > auth sufficient pam_winbind.so > > > account sufficient pam_stack.so service=system-auth > > > account sufficient pam_winbind.so > > > password required pam_stack.so service=system-auth > > > session required pam_stack.so service=system-auth > > > session required pam_loginuid.so > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba