Re: [Samba] Designate one samba server for home directories
I tried it but didn't work. I also tried for the home path, \\remote_smb_server\%U file://remote_smb_server/%25U (replaced remote_smb_server with the actual remote smb servername) but in the log, it says Error was No such file or directory and it puts forward slash in front of it, /\\remote_smb_server\%U in the log... On Sat, Oct 3, 2009 at 8:17 PM, Gary Dale garyd...@rogers.com wrote: Luv Linux wrote: Hello all, I have a few samba servers running winbind that are joined to the AD 2003 domain. Is it possible to designate one samba server to host the users' home directories instead of each one of them? If we have samba1, samba2, and samba3 and designate samba1 to host the home directories and when a user accesses samba 2 either via ssh or as a share, the home directory that the user sees would actually be present on samba1. If this is possible, what changes do I need to make to smb.conf file? Have you tried specifying the server name in the directory name? From the SWAT documentation on homes: Example: //|logon home|/ = |\\remote_smb_server\%U | / -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Designate one samba server for home directories
Hello all, I have a few samba servers running winbind that are joined to the AD 2003 domain. Is it possible to designate one samba server to host the users' home directories instead of each one of them? If we have samba1, samba2, and samba3 and designate samba1 to host the home directories and when a user accesses samba 2 either via ssh or as a share, the home directory that the user sees would actually be present on samba1. If this is possible, what changes do I need to make to smb.conf file? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] locking down ssh when using winbind
Yes I have. I've also restarted smb and winbind but I'm still able to ssh in using other domain user accounts that are not in the specified group sshusers. Does my sshd file look to be correct? On Wed, Sep 16, 2009 at 9:30 PM, Philipoff, Andrew aphilip...@medicine.ucsf.edu wrote: You shouldn't need to define a domain, sshusers should be sufficient. Did you restart sshd? Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF From: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org] On Behalf Of Luv Linux [luvlinux2...@gmail.com] Sent: Wednesday, September 16, 2009 6:16 PM To: samba@lists.samba.org Subject: Re: [Samba] locking down ssh when using winbind Thanks Andrew, The file didn't have the line = accountrequired pam_stack.so service=system-auth so changed it to the following, group's name in AD is domain\sshusers btw so I'm not sure if I have to input it as domain\sshusers or sshusers. But doesn't seem to work... What did I do wrong?: #auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_succeed_if.so user ingroup sshusers #accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so On Wed, Sep 16, 2009 at 4:48 PM, Philipoff, Andrew aphilip...@medicine.ucsf.edu wrote: You can restrict access to specific local and domain groups: #accountrequired pam_stack.so service=system-auth accountsufficient pam_succeed_if.so user ingroup users accountsufficient pam_succeed_if.so user ingroup webdevelopers Check here for more info: http://linux.die.net/man/8/pam_succeed_if Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF -Original Message- From: samba-boun...@lists.samba.org [mailto: samba-boun...@lists.samba.org] On Behalf Of Luv Linux Sent: Wednesday, September 16, 2009 4:14 PM To: samba@lists.samba.org Subject: [Samba] locking down ssh when using winbind Hi all, I'm using samba with winbind which has been integrated with Active Directory. In the smb.conf file, I have template shell = /bin/bash winbind use default domain = yes to allow ssh but I don't want all the domain users to be able to ssh. Is there a way to only allow for example) domain\ssh_group which is an active directory group to be able to ssh into the server? This is my current pam.d/sshd file: auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] enumerate only the joined domain
Hi all We have multiple activie directory domains in a single forest. I currently have winbind enumerate users/group to yes as it seems getent passwd and getend group do not work otherwise which breaks samba access if I set getent passwd and geten group to = no. Is this normal? And when I do getent passwd, it lists all the users from other domains that are in the same forest and not just the domain that the samba server is on. Is there a way to have it just enumerate the users and groups that are in the same domain that the samba server is on? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] locking down ssh when using winbind
Thanks for your help. I got it working. I've moved the accountsufficient pam_succeed_if.so user ingroup line to the top and moved the auth include system-auth to below it. I've verified that the domain users not belonging to the group could not ssh in while any Linux local users could. On Thu, Sep 17, 2009 at 12:46 PM, Philipoff, Andrew aphilip...@medicine.ucsf.edu wrote: Your /etc/pam.d/sshd looks different from mine. I'm running RHEL 5.4 with the Red Hat compiled Samba v3.0.33-3.14.el5. My /etc/pam.d/sshd looks like: auth include system-auth accountrequired pam_nologin.so #accountinclude system-auth accountsufficient pam_succeed_if.so user ingroup users accountsufficient pam_succeed_if.so user ingroup webdevelopers password include system-auth sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so Once I got this working I did the following: 1. Created a /home/DOMAIN_NAME folder for home directories. 2. To auto-create home directories I checked the create home directories on the first login checkbox of the options tab of system-config-authentication. In previous RHEL releases I added session required pam_mkhomedir.so skel=/etc/skel umask=0022 to /etc/pam.d/system-auth-ac to auto-create home directories in /home/DOMAIN_NAME. Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF Phone 415-476-1344 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Luv Linux Sent: Thursday, September 17, 2009 10:44 AM To: samba@lists.samba.org Subject: Re: [Samba] locking down ssh when using winbind Yes I have. I've also restarted smb and winbind but I'm still able to ssh in using other domain user accounts that are not in the specified group sshusers. Does my sshd file look to be correct? On Wed, Sep 16, 2009 at 9:30 PM, Philipoff, Andrew aphilip...@medicine.ucsf.edu wrote: You shouldn't need to define a domain, sshusers should be sufficient. Did you restart sshd? Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF From: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org] On Behalf Of Luv Linux [luvlinux2...@gmail.com] Sent: Wednesday, September 16, 2009 6:16 PM To: samba@lists.samba.org Subject: Re: [Samba] locking down ssh when using winbind Thanks Andrew, The file didn't have the line = accountrequired pam_stack.so service=system-auth so changed it to the following, group's name in AD is domain\sshusers btw so I'm not sure if I have to input it as domain\sshusers or sshusers. But doesn't seem to work... What did I do wrong?: #auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_succeed_if.so user ingroup sshusers #accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so On Wed, Sep 16, 2009 at 4:48 PM, Philipoff, Andrew aphilip...@medicine.ucsf.edu wrote: You can restrict access to specific local and domain groups: #accountrequired pam_stack.so service=system-auth accountsufficient pam_succeed_if.so user ingroup users accountsufficient pam_succeed_if.so user ingroup webdevelopers Check here for more info: http://linux.die.net/man/8/pam_succeed_if Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF -Original Message- From: samba-boun...@lists.samba.org [mailto: samba-boun...@lists.samba.org] On Behalf Of Luv Linux Sent: Wednesday, September 16, 2009 4:14 PM To: samba@lists.samba.org Subject: [Samba] locking down ssh when using winbind Hi all, I'm using samba with winbind which has been integrated with Active Directory. In the smb.conf file, I have template shell = /bin/bash winbind use default domain = yes to allow ssh but I don't want all the domain users to be able to ssh. Is there a way to only allow for example) domain\ssh_group which is an active directory group to be able to ssh into the server? This is my current pam.d/sshd file: auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service
[Samba] locking down ssh when using winbind
Hi all, I'm using samba with winbind which has been integrated with Active Directory. In the smb.conf file, I have template shell = /bin/bash winbind use default domain = yes to allow ssh but I don't want all the domain users to be able to ssh. Is there a way to only allow for example) domain\ssh_group which is an active directory group to be able to ssh into the server? This is my current pam.d/sshd file: auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] locking down ssh when using winbind
Thanks Andrew, The file didn't have the line = accountrequired pam_stack.so service=system-auth so changed it to the following, group's name in AD is domain\sshusers btw so I'm not sure if I have to input it as domain\sshusers or sshusers. But doesn't seem to work... What did I do wrong?: #auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_succeed_if.so user ingroup sshusers #accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so On Wed, Sep 16, 2009 at 4:48 PM, Philipoff, Andrew aphilip...@medicine.ucsf.edu wrote: You can restrict access to specific local and domain groups: #accountrequired pam_stack.so service=system-auth accountsufficient pam_succeed_if.so user ingroup users accountsufficient pam_succeed_if.so user ingroup webdevelopers Check here for more info: http://linux.die.net/man/8/pam_succeed_if Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Luv Linux Sent: Wednesday, September 16, 2009 4:14 PM To: samba@lists.samba.org Subject: [Samba] locking down ssh when using winbind Hi all, I'm using samba with winbind which has been integrated with Active Directory. In the smb.conf file, I have template shell = /bin/bash winbind use default domain = yes to allow ssh but I don't want all the domain users to be able to ssh. Is there a way to only allow for example) domain\ssh_group which is an active directory group to be able to ssh into the server? This is my current pam.d/sshd file: auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba wins question
Hello all, I have some questions regarding samba's wins configuration in an environment where samba has been integrated with Windows 2003 Active Directory. We do not use WINS in our Active Directory environment and only use DNS. We have 2 samba servers, let's say they are named samba1 and samba2. samba1 is running 3.0.33-3.7.el5_3.1 and samba2 is running 3.0.28a-1ubuntu4.8. Both of their configuration regarding WINS: name resolve order = hosts lmhosts bcast wins support = no dns proxy = no This seems to work fine but was wondering if there's a better configuration that I should be using. If this is not an ideal configuration, should I configure one of the samba servers, let's say samba1 as WINS and thus, change the configuration on them as follows? Since we're not going to set WINS configuration on our Windows client machines, they won't register to WINS on samba server though: change samba1's smb.conf: wins support = yes dns proxy = yes name resolve order = wins lmhosts hosts bcast change samba2's smb.conf: wins server = IP of samba1 wins proxy = yes dns proxy = yes name resolve order = wins hosts lmhosts bcast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba