-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Matt,
On 09/22/2006 01:24 PM, Matt Herzog escreveu:
Thanks to Anthony Ciarochi at Centeris for this solution.
I have a Centos (Red Hat-based) server that is now accessible to AD users
AND local users via ssh. I can control which AD groups can login using the
syntax below. Red Hat-based distros use pam_stack in pam.d which is quite
different than Debian's include based pam.d,
cat /etc/pam.d/sshd
# --
#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
accountsufficient pam_succeed_if.so user ingroup sshlogin
accountsufficient pam_succeed_if.so user ingroup wheel
password required pam_stack.so service=system-auth
sessionrequired pam_stack.so service=system-auth
sessionrequired pam_loginuid.so
sessionsufficient pam_mkhomedir.so skel=/etc/skel umask=0027
# --
The critical lines are:
accountsufficient pam_succeed_if.so user ingroup sshlogin
The above is to allow an AD group sshlogin to ssh in.
accountsufficient pam_succeed_if.so user ingroup wheel
The above allows anyone in the *local machine* unix group wheel to ssh in.
sessionsufficient pam_mkhomedir.so skel=/etc/skel umask=0027
The above creates home dirs and dot files for AD users when they login for
the first time.
Could you add that information to the wiki?
http://wiki.samba.org
Kind regards,
- --
Felipe Augusto van de Wiel [EMAIL PROTECTED]
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
iD8DBQFFGBS+Cj65ZxU4gPQRArUBAKC9flCDxXXirUC9qeEeqnCSIT0WgACgsrIG
X7Llvj5ONPRoV9RsW2N6FVI=
=7vQ2
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
