Re: [Samba] Restricting logins using pam_winbind require_membership_of ?
pam_access actually worked very well and is the most powerful / flexible of all the choices, so that's the one I'm going with. Thanks to everyone who replied. John On 20 June 2011 18:35, TAKAHASHI Motonobu wrote: > On 06/17/2011 12:28 PM, John McNulty wrote: > > Hi. > > > > I have some shares on a server that are offered to specific Active > Directory > > user groups, but the business doesn't want those users to be able to > login > > to the server. If I were to add "require_membership_of" to pam_winbind > to > > limit logins and shut out the users I don't want, would it also have the > > side effect of denying those users access to the shares as well? > > From: John McNulty > Date: Mon, 20 Jun 2011 10:50:45 +0100 > > > The user accounts exist in Active Directory and we're using the rfc2307 > > schema. So the shell is set in AD. I cannot change the shell to > /bin/false > > or that would affect all the other servers they login to. > > I see. You may manage local login with the facility of PAM, for > example pam_access, pam_listfile or others... > > --- > TAKAHASHI Motonobu / @damemonyo > http://damedame.monyo.com/ / http://facebook.com/monyot > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting logins using pam_winbind require_membership_of ?
On 06/17/2011 12:28 PM, John McNulty wrote: > Hi. > > I have some shares on a server that are offered to specific Active Directory > user groups, but the business doesn't want those users to be able to login > to the server. If I were to add "require_membership_of" to pam_winbind to > limit logins and shut out the users I don't want, would it also have the > side effect of denying those users access to the shares as well? From: John McNulty Date: Mon, 20 Jun 2011 10:50:45 +0100 > The user accounts exist in Active Directory and we're using the rfc2307 > schema. So the shell is set in AD. I cannot change the shell to /bin/false > or that would affect all the other servers they login to. I see. You may manage local login with the facility of PAM, for example pam_access, pam_listfile or others... --- TAKAHASHI Motonobu / @damemonyo http://damedame.monyo.com/ / http://facebook.com/monyot -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting logins using pam_winbind require_membership_of ?
From: John McNulty Date: Sat, 18 Jun 2011 15:14:07 +0100 > Ah, maybe I'm not being clear enough. I want the AD users to be able to > access the shares, but not ssh login to the system, which they can > currently. How have you configured around winbind? By default, the shell for users created by winbindd is set to "/bin/false" so they can not login to the system. --- TAKAHASHI Motonobu / @damemonyo http://damedame.monyo.com/ / http://facebook.com/monyot -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting logins using pam_winbind require_membership_of ?
Ah, maybe I'm not being clear enough. I want the AD users to be able to access the shares, but not ssh login to the system, which they can currently. I'm wondering if this is a method I can use to achieve that end, as an alternative to using AllowUsers/AllowGroups in sshd_config or using pam_listfile. On 17 June 2011 17:46, Aaron E. wrote: > In the samba share definition you could add > valid users = +group > > this should have the effect your looking for if I understand you correctly. > If not my apologies.. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting logins using pam_winbind require_membership_of ?
On 6/17/2011 09:46, Aaron E. wrote: In the samba share definition you could add valid users = +group this should have the effect your looking for if I understand you correctly. If not my apologies.. On 06/17/2011 12:28 PM, John McNulty wrote: Hi. I have some shares on a server that are offered to specific Active Directory user groups, but the business doesn't want those users to be able to login to the server. If I were to add "require_membership_of" to pam_winbind to limit logins and shut out the users I don't want, would it also have the side effect of denying those users access to the shares as well? Regards, John I'm suddenly curious about this as well. please let us know your results! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting logins using pam_winbind require_membership_of ?
In the samba share definition you could add valid users = +group this should have the effect your looking for if I understand you correctly. If not my apologies.. On 06/17/2011 12:28 PM, John McNulty wrote: Hi. I have some shares on a server that are offered to specific Active Directory user groups, but the business doesn't want those users to be able to login to the server. If I were to add "require_membership_of" to pam_winbind to limit logins and shut out the users I don't want, would it also have the side effect of denying those users access to the shares as well? Regards, John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Restricting logins using pam_winbind require_membership_of ?
Hi. I have some shares on a server that are offered to specific Active Directory user groups, but the business doesn't want those users to be able to login to the server. If I were to add "require_membership_of" to pam_winbind to limit logins and shut out the users I don't want, would it also have the side effect of denying those users access to the shares as well? Regards, John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba