Re: [Samba] Restricting logins using pam_winbind require_membership_of ?

2011-06-22 Thread John McNulty
pam_access actually worked very well and is the most powerful / flexible of
all the choices, so that's the one I'm going with.

Thanks to everyone who replied.

John


On 20 June 2011 18:35, TAKAHASHI Motonobu  wrote:

> On 06/17/2011 12:28 PM, John McNulty wrote:
> > Hi.
> >
> > I have some shares on a server that are offered to specific Active
> Directory
> > user groups, but the business doesn't want those users to be able to
> login
> > to the server.  If I were to add "require_membership_of"  to pam_winbind
> to
> > limit logins and shut out the users I don't want, would it also have the
> > side effect of denying those users access to the shares as well?
>
> From: John McNulty 
> Date: Mon, 20 Jun 2011 10:50:45 +0100
>
> > The user accounts exist in Active Directory and we're using the rfc2307
> > schema.  So the shell is set in AD.  I cannot change the shell to
> /bin/false
> > or that would affect all the other servers they login to.
>
> I see. You may manage local login with the facility of PAM, for
> example pam_access, pam_listfile or others...
>
> ---
> TAKAHASHI Motonobu  / @damemonyo
>  http://damedame.monyo.com/ / http://facebook.com/monyot
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Restricting logins using pam_winbind require_membership_of ?

2011-06-20 Thread TAKAHASHI Motonobu
On 06/17/2011 12:28 PM, John McNulty wrote:
> Hi.
>
> I have some shares on a server that are offered to specific Active Directory
> user groups, but the business doesn't want those users to be able to login
> to the server.  If I were to add "require_membership_of"  to pam_winbind to
> limit logins and shut out the users I don't want, would it also have the
> side effect of denying those users access to the shares as well?

From: John McNulty 
Date: Mon, 20 Jun 2011 10:50:45 +0100

> The user accounts exist in Active Directory and we're using the rfc2307
> schema.  So the shell is set in AD.  I cannot change the shell to /bin/false
> or that would affect all the other servers they login to.

I see. You may manage local login with the facility of PAM, for
example pam_access, pam_listfile or others...

---
TAKAHASHI Motonobu  / @damemonyo
  http://damedame.monyo.com/ / http://facebook.com/monyot
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Restricting logins using pam_winbind require_membership_of ?

2011-06-18 Thread TAKAHASHI Motonobu
From: John McNulty 
Date: Sat, 18 Jun 2011 15:14:07 +0100

> Ah, maybe I'm not being clear enough.  I want the AD users to be able to
> access the shares, but not ssh login to the system, which they can
> currently.

How have you configured around winbind?

By default, the shell for users created by winbindd is set to
"/bin/false" so they can not login to the system.

---
TAKAHASHI Motonobu  / @damemonyo
  http://damedame.monyo.com/ / http://facebook.com/monyot

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Restricting logins using pam_winbind require_membership_of ?

2011-06-18 Thread John McNulty
Ah, maybe I'm not being clear enough.  I want the AD users to be able to
access the shares, but not ssh login to the system, which they can
currently.  I'm wondering if this is a method I can use to achieve that end,
as an alternative to using AllowUsers/AllowGroups in sshd_config or using
pam_listfile.


On 17 June 2011 17:46, Aaron E.  wrote:

> In the samba share definition you could add
> valid users = +group
>
> this should have the effect your looking for if I understand you correctly.
> If not my apologies..
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Restricting logins using pam_winbind require_membership_of ?

2011-06-18 Thread Christ Schlacta

On 6/17/2011 09:46, Aaron E. wrote:

In the samba share definition you could add
valid users = +group

this should have the effect your looking for if I understand you 
correctly. If not my apologies..


On 06/17/2011 12:28 PM, John McNulty wrote:

Hi.

I have some shares on a server that are offered to specific Active 
Directory
user groups, but the business doesn't want those users to be able to 
login
to the server.  If I were to add "require_membership_of"  to 
pam_winbind to

limit logins and shut out the users I don't want, would it also have the
side effect of denying those users access to the shares as well?

Regards,

John



I'm suddenly curious about this as well.  please let us know your results!
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Restricting logins using pam_winbind require_membership_of ?

2011-06-17 Thread Aaron E.

In the samba share definition you could add
valid users = +group

this should have the effect your looking for if I understand you 
correctly. If not my apologies..


On 06/17/2011 12:28 PM, John McNulty wrote:

Hi.

I have some shares on a server that are offered to specific Active Directory
user groups, but the business doesn't want those users to be able to login
to the server.  If I were to add "require_membership_of"  to pam_winbind to
limit logins and shut out the users I don't want, would it also have the
side effect of denying those users access to the shares as well?

Regards,

John


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Restricting logins using pam_winbind require_membership_of ?

2011-06-17 Thread John McNulty
Hi.

I have some shares on a server that are offered to specific Active Directory
user groups, but the business doesn't want those users to be able to login
to the server.  If I were to add "require_membership_of"  to pam_winbind to
limit logins and shut out the users I don't want, would it also have the
side effect of denying those users access to the shares as well?

Regards,

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba