Re: [Samba] Restricting logins using pam_winbind require_membership_of ?
pam_access actually worked very well and is the most powerful / flexible of all the choices, so that's the one I'm going with. Thanks to everyone who replied. John On 20 June 2011 18:35, TAKAHASHI Motonobu wrote: > On 06/17/2011 12:28 PM, John McNulty wrote: > > Hi. > > > > I have some shares on a server that are offered to specific Active > Directory > > user groups, but the business doesn't want those users to be able to > login > > to the server. If I were to add "require_membership_of" to pam_winbind > to > > limit logins and shut out the users I don't want, would it also have the > > side effect of denying those users access to the shares as well? > > From: John McNulty > Date: Mon, 20 Jun 2011 10:50:45 +0100 > > > The user accounts exist in Active Directory and we're using the rfc2307 > > schema. So the shell is set in AD. I cannot change the shell to > /bin/false > > or that would affect all the other servers they login to. > > I see. You may manage local login with the facility of PAM, for > example pam_access, pam_listfile or others... > > --- > TAKAHASHI Motonobu / @damemonyo > http://damedame.monyo.com/ / http://facebook.com/monyot > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads user info .vs. wbinfo -g ?
That's really useful thanks. John On 21 June 2011 12:25, Robert Freeman-Day wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 06/20/2011 12:44 PM, John McNulty wrote: > > The group names from these two commands display differently. For > example: > > > > $ net ads user info my-name -U my-name > > . > > . > > Systems Engineering EU > > > > > > $ wbinfo -g > > . > > . > > systemsengineeringeu.write > > > > > > Why is this different? > > > > Regards, > > > > John > > John, > > The "net" command is a close relative to the "net" command for windows. > It will display information in a format more like windows or ldap-like > output. > > If you do this type of "net" command on your samba install: > > net ads search "(SAMAccountName=adusername)" -P > > you will get all the entries from active directory, similar to the > output from ADSIedit. The "-P" allows you to use your samba machine's > credentials (if it is joined to the domain). > > net ads search "(&(objectCategory=computer)(name=*rhel*))" -P > > Allows ldap-like searching. > > "wbinfo" and "winbindd" allow translation from windows account formats > to unix-like account formats. This is why the outputs are different. > > If you were to do a "getent passwd aduser" you will get a direct entry > that is as if it was from /etc/passwd. It is actually getting info from > "winbindd" and translating it on the fly. > > Hope that helps differentiate them. > > Robert > - -- > > > Robert Freeman-Day > > https://launchpad.net/~presgas > GPG Public Key: > > http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36 > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk4Af7EACgkQup357T5MfTZE2wCfbOebJzIGvrlJp+vSNJ/MOKv+ > QF8An3NOKExf9gusbJfsZr/R13Heemwt > =bdGG > -END PGP SIGNATURE- > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net ads user info .vs. wbinfo -g ?
The group names from these two commands display differently. For example: $ net ads user info my-name -U my-name . . Systems Engineering EU $ wbinfo -g . . systemsengineeringeu.write Why is this different? Regards, John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting logins using pam_winbind require_membership_of ?
Ah, maybe I'm not being clear enough. I want the AD users to be able to access the shares, but not ssh login to the system, which they can currently. I'm wondering if this is a method I can use to achieve that end, as an alternative to using AllowUsers/AllowGroups in sshd_config or using pam_listfile. On 17 June 2011 17:46, Aaron E. wrote: > In the samba share definition you could add > valid users = +group > > this should have the effect your looking for if I understand you correctly. > If not my apologies.. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Restricting logins using pam_winbind require_membership_of ?
Hi. I have some shares on a server that are offered to specific Active Directory user groups, but the business doesn't want those users to be able to login to the server. If I were to add "require_membership_of" to pam_winbind to limit logins and shut out the users I don't want, would it also have the side effect of denying those users access to the shares as well? Regards, John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba