Re: [Samba] locking down ssh when using winbind
Yes I have. I've also restarted smb and winbind but I'm still able to ssh in using other domain user accounts that are not in the specified group sshusers. Does my sshd file look to be correct? On Wed, Sep 16, 2009 at 9:30 PM, Philipoff, Andrew aphilip...@medicine.ucsf.edu wrote: You shouldn't need to define a domain, sshusers should be sufficient. Did you restart sshd? Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF From: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org] On Behalf Of Luv Linux [luvlinux2...@gmail.com] Sent: Wednesday, September 16, 2009 6:16 PM To: samba@lists.samba.org Subject: Re: [Samba] locking down ssh when using winbind Thanks Andrew, The file didn't have the line = accountrequired pam_stack.so service=system-auth so changed it to the following, group's name in AD is domain\sshusers btw so I'm not sure if I have to input it as domain\sshusers or sshusers. But doesn't seem to work... What did I do wrong?: #auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_succeed_if.so user ingroup sshusers #accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so On Wed, Sep 16, 2009 at 4:48 PM, Philipoff, Andrew aphilip...@medicine.ucsf.edu wrote: You can restrict access to specific local and domain groups: #accountrequired pam_stack.so service=system-auth accountsufficient pam_succeed_if.so user ingroup users accountsufficient pam_succeed_if.so user ingroup webdevelopers Check here for more info: http://linux.die.net/man/8/pam_succeed_if Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF -Original Message- From: samba-boun...@lists.samba.org [mailto: samba-boun...@lists.samba.org] On Behalf Of Luv Linux Sent: Wednesday, September 16, 2009 4:14 PM To: samba@lists.samba.org Subject: [Samba] locking down ssh when using winbind Hi all, I'm using samba with winbind which has been integrated with Active Directory. In the smb.conf file, I have template shell = /bin/bash winbind use default domain = yes to allow ssh but I don't want all the domain users to be able to ssh. Is there a way to only allow for example) domain\ssh_group which is an active directory group to be able to ssh into the server? This is my current pam.d/sshd file: auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] locking down ssh when using winbind
Your /etc/pam.d/sshd looks different from mine. I'm running RHEL 5.4 with the Red Hat compiled Samba v3.0.33-3.14.el5. My /etc/pam.d/sshd looks like: auth include system-auth accountrequired pam_nologin.so #accountinclude system-auth accountsufficient pam_succeed_if.so user ingroup users accountsufficient pam_succeed_if.so user ingroup webdevelopers password include system-auth sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so Once I got this working I did the following: 1. Created a /home/DOMAIN_NAME folder for home directories. 2. To auto-create home directories I checked the create home directories on the first login checkbox of the options tab of system-config-authentication. In previous RHEL releases I added session required pam_mkhomedir.so skel=/etc/skel umask=0022 to /etc/pam.d/system-auth-ac to auto-create home directories in /home/DOMAIN_NAME. Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF Phone 415-476-1344 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Luv Linux Sent: Thursday, September 17, 2009 10:44 AM To: samba@lists.samba.org Subject: Re: [Samba] locking down ssh when using winbind Yes I have. I've also restarted smb and winbind but I'm still able to ssh in using other domain user accounts that are not in the specified group sshusers. Does my sshd file look to be correct? On Wed, Sep 16, 2009 at 9:30 PM, Philipoff, Andrew aphilip...@medicine.ucsf.edu wrote: You shouldn't need to define a domain, sshusers should be sufficient. Did you restart sshd? Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF From: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org] On Behalf Of Luv Linux [luvlinux2...@gmail.com] Sent: Wednesday, September 16, 2009 6:16 PM To: samba@lists.samba.org Subject: Re: [Samba] locking down ssh when using winbind Thanks Andrew, The file didn't have the line = accountrequired pam_stack.so service=system-auth so changed it to the following, group's name in AD is domain\sshusers btw so I'm not sure if I have to input it as domain\sshusers or sshusers. But doesn't seem to work... What did I do wrong?: #auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_succeed_if.so user ingroup sshusers #accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so On Wed, Sep 16, 2009 at 4:48 PM, Philipoff, Andrew aphilip...@medicine.ucsf.edu wrote: You can restrict access to specific local and domain groups: #accountrequired pam_stack.so service=system-auth accountsufficient pam_succeed_if.so user ingroup users accountsufficient pam_succeed_if.so user ingroup webdevelopers Check here for more info: http://linux.die.net/man/8/pam_succeed_if Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF -Original Message- From: samba-boun...@lists.samba.org [mailto: samba-boun...@lists.samba.org] On Behalf Of Luv Linux Sent: Wednesday, September 16, 2009 4:14 PM To: samba@lists.samba.org Subject: [Samba] locking down ssh when using winbind Hi all, I'm using samba with winbind which has been integrated with Active Directory. In the smb.conf file, I have template shell = /bin/bash winbind use default domain = yes to allow ssh but I don't want all the domain users to be able to ssh. Is there a way to only allow for example) domain\ssh_group which is an active directory group to be able to ssh into the server? This is my current pam.d/sshd file: auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba smime.p7s Description: S/MIME cryptographic
Re: [Samba] locking down ssh when using winbind
Thanks for your help. I got it working. I've moved the accountsufficient pam_succeed_if.so user ingroup line to the top and moved the auth include system-auth to below it. I've verified that the domain users not belonging to the group could not ssh in while any Linux local users could. On Thu, Sep 17, 2009 at 12:46 PM, Philipoff, Andrew aphilip...@medicine.ucsf.edu wrote: Your /etc/pam.d/sshd looks different from mine. I'm running RHEL 5.4 with the Red Hat compiled Samba v3.0.33-3.14.el5. My /etc/pam.d/sshd looks like: auth include system-auth accountrequired pam_nologin.so #accountinclude system-auth accountsufficient pam_succeed_if.so user ingroup users accountsufficient pam_succeed_if.so user ingroup webdevelopers password include system-auth sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so Once I got this working I did the following: 1. Created a /home/DOMAIN_NAME folder for home directories. 2. To auto-create home directories I checked the create home directories on the first login checkbox of the options tab of system-config-authentication. In previous RHEL releases I added session required pam_mkhomedir.so skel=/etc/skel umask=0022 to /etc/pam.d/system-auth-ac to auto-create home directories in /home/DOMAIN_NAME. Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF Phone 415-476-1344 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Luv Linux Sent: Thursday, September 17, 2009 10:44 AM To: samba@lists.samba.org Subject: Re: [Samba] locking down ssh when using winbind Yes I have. I've also restarted smb and winbind but I'm still able to ssh in using other domain user accounts that are not in the specified group sshusers. Does my sshd file look to be correct? On Wed, Sep 16, 2009 at 9:30 PM, Philipoff, Andrew aphilip...@medicine.ucsf.edu wrote: You shouldn't need to define a domain, sshusers should be sufficient. Did you restart sshd? Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF From: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org] On Behalf Of Luv Linux [luvlinux2...@gmail.com] Sent: Wednesday, September 16, 2009 6:16 PM To: samba@lists.samba.org Subject: Re: [Samba] locking down ssh when using winbind Thanks Andrew, The file didn't have the line = accountrequired pam_stack.so service=system-auth so changed it to the following, group's name in AD is domain\sshusers btw so I'm not sure if I have to input it as domain\sshusers or sshusers. But doesn't seem to work... What did I do wrong?: #auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_succeed_if.so user ingroup sshusers #accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so On Wed, Sep 16, 2009 at 4:48 PM, Philipoff, Andrew aphilip...@medicine.ucsf.edu wrote: You can restrict access to specific local and domain groups: #accountrequired pam_stack.so service=system-auth accountsufficient pam_succeed_if.so user ingroup users accountsufficient pam_succeed_if.so user ingroup webdevelopers Check here for more info: http://linux.die.net/man/8/pam_succeed_if Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF -Original Message- From: samba-boun...@lists.samba.org [mailto: samba-boun...@lists.samba.org] On Behalf Of Luv Linux Sent: Wednesday, September 16, 2009 4:14 PM To: samba@lists.samba.org Subject: [Samba] locking down ssh when using winbind Hi all, I'm using samba with winbind which has been integrated with Active Directory. In the smb.conf file, I have template shell = /bin/bash winbind use default domain = yes to allow ssh but I don't want all the domain users to be able to ssh. Is there a way to only allow for example) domain\ssh_group which is an active directory group to be able to ssh into the server? This is my current pam.d/sshd file: auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service
[Samba] locking down ssh when using winbind
Hi all, I'm using samba with winbind which has been integrated with Active Directory. In the smb.conf file, I have template shell = /bin/bash winbind use default domain = yes to allow ssh but I don't want all the domain users to be able to ssh. Is there a way to only allow for example) domain\ssh_group which is an active directory group to be able to ssh into the server? This is my current pam.d/sshd file: auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] locking down ssh when using winbind
You can restrict access to specific local and domain groups: #accountrequired pam_stack.so service=system-auth accountsufficient pam_succeed_if.so user ingroup users accountsufficient pam_succeed_if.so user ingroup webdevelopers Check here for more info: http://linux.die.net/man/8/pam_succeed_if Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Luv Linux Sent: Wednesday, September 16, 2009 4:14 PM To: samba@lists.samba.org Subject: [Samba] locking down ssh when using winbind Hi all, I'm using samba with winbind which has been integrated with Active Directory. In the smb.conf file, I have template shell = /bin/bash winbind use default domain = yes to allow ssh but I don't want all the domain users to be able to ssh. Is there a way to only allow for example) domain\ssh_group which is an active directory group to be able to ssh into the server? This is my current pam.d/sshd file: auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba smime.p7s Description: S/MIME cryptographic signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] locking down ssh when using winbind
Thanks Andrew, The file didn't have the line = accountrequired pam_stack.so service=system-auth so changed it to the following, group's name in AD is domain\sshusers btw so I'm not sure if I have to input it as domain\sshusers or sshusers. But doesn't seem to work... What did I do wrong?: #auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_succeed_if.so user ingroup sshusers #accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so On Wed, Sep 16, 2009 at 4:48 PM, Philipoff, Andrew aphilip...@medicine.ucsf.edu wrote: You can restrict access to specific local and domain groups: #accountrequired pam_stack.so service=system-auth accountsufficient pam_succeed_if.so user ingroup users accountsufficient pam_succeed_if.so user ingroup webdevelopers Check here for more info: http://linux.die.net/man/8/pam_succeed_if Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Luv Linux Sent: Wednesday, September 16, 2009 4:14 PM To: samba@lists.samba.org Subject: [Samba] locking down ssh when using winbind Hi all, I'm using samba with winbind which has been integrated with Active Directory. In the smb.conf file, I have template shell = /bin/bash winbind use default domain = yes to allow ssh but I don't want all the domain users to be able to ssh. Is there a way to only allow for example) domain\ssh_group which is an active directory group to be able to ssh into the server? This is my current pam.d/sshd file: auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] locking down ssh when using winbind
You shouldn't need to define a domain, sshusers should be sufficient. Did you restart sshd? Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF From: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org] On Behalf Of Luv Linux [luvlinux2...@gmail.com] Sent: Wednesday, September 16, 2009 6:16 PM To: samba@lists.samba.org Subject: Re: [Samba] locking down ssh when using winbind Thanks Andrew, The file didn't have the line = accountrequired pam_stack.so service=system-auth so changed it to the following, group's name in AD is domain\sshusers btw so I'm not sure if I have to input it as domain\sshusers or sshusers. But doesn't seem to work... What did I do wrong?: #auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_succeed_if.so user ingroup sshusers #accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so On Wed, Sep 16, 2009 at 4:48 PM, Philipoff, Andrew aphilip...@medicine.ucsf.edu wrote: You can restrict access to specific local and domain groups: #accountrequired pam_stack.so service=system-auth accountsufficient pam_succeed_if.so user ingroup users accountsufficient pam_succeed_if.so user ingroup webdevelopers Check here for more info: http://linux.die.net/man/8/pam_succeed_if Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Luv Linux Sent: Wednesday, September 16, 2009 4:14 PM To: samba@lists.samba.org Subject: [Samba] locking down ssh when using winbind Hi all, I'm using samba with winbind which has been integrated with Active Directory. In the smb.conf file, I have template shell = /bin/bash winbind use default domain = yes to allow ssh but I don't want all the domain users to be able to ssh. Is there a way to only allow for example) domain\ssh_group which is an active directory group to be able to ssh into the server? This is my current pam.d/sshd file: auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba