From: John P Arends <jare...@northwestern.edu> Date: Thu, 24 Jan 2013 21:45:13 +0000
> The problem is, I can log on as any AD user. > > require_membership_of is being ignored. I can put in a valid group with > no spaces in the name, a group by SID, and either way, everyone can log > in. As far as I examined Samba 3.5.6 shipped with Debian Squeeze, it worked. I added these lines into my smb.conf: ----- obey pam restrictions = yes template shell = /bin/bash ----- Also I added these lines into /etc/pam.d/common_auth: ----- ... pam_winbind.so require-membership-of=W2K8R2AD1\samba01g debug ----- samba01g is a global security group. I tried to login as an user who does not belong to samba01g from other box via ssh and cannnot login with these logs: ----- Jan 27 00:57:06 squeeze64-1 sshd[6261]: pam_winbind(sshd:auth): request wbcLogon User failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: Logon failure Jan 27 00:57:06 squeeze64-1 sshd[6261]: pam_winbind(sshd:auth): user 'W2K8R2AD1\samba01' denied access (incorrect password or invalid membership) Jan 27 00:57:06 squeeze64-1 sshd[6261]: pam_winbind(sshd:auth): [pamh: 0x7f2a6c630f40] LEAVE: pam_sm_authenticate returning 7 (PAM_AUTH_ERR) ----- To join the user to samba01g, the user can login. --- TAKAHASHI Motonobu <mo...@monyo.com> / @damemonyo facebook.com/takahashi.motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba