Implementing System Policies with Samba=20: Difference between revisions
From SambaWiki
(Active Directory group and Red Hat local group sshd login control via PAM) |
No edit summary |
||
Line 7: | Line 7: | ||
cat /etc/pam.d/sshd |
cat /etc/pam.d/sshd |
||
<pre> |
|||
# ----------------------------snip------------------------------------------ |
|||
#%PAM-1.0 |
|||
auth required pam_stack.so service=system-auth |
auth required pam_stack.so service=system-auth |
||
auth required pam_nologin.so |
auth required pam_nologin.so |
||
Line 17: | Line 16: | ||
session required pam_loginuid.so |
session required pam_loginuid.so |
||
session sufficient pam_mkhomedir.so skel=/etc/skel umask=0027 |
session sufficient pam_mkhomedir.so skel=/etc/skel umask=0027 |
||
</pre> |
|||
# ----------------------------snip------------------------------------------ |
|||
The critical lines are: |
The critical lines are: |
Latest revision as of 19:18, 26 September 2006
Thanks to Anthony Ciarochi at Centeris for this solution.
I have a Centos (Red Hat-based) server that is now accessible to AD users AND local users via ssh. I can control which AD groups can login using the syntax below. Red Hat-based distros use "pam_stack" in pam.d which is quite different than Debian's "include" based pam.d.
cat /etc/pam.d/sshd
auth required pam_stack.so service=system-auth auth required pam_nologin.so account sufficient pam_succeed_if.so user ingroup sshlogin account sufficient pam_succeed_if.so user ingroup wheel password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_loginuid.so session sufficient pam_mkhomedir.so skel=/etc/skel umask=0027
The critical lines are:
account sufficient pam_succeed_if.so user ingroup sshlogin
The above is to allow an AD group "sshlogin" to ssh in.
account sufficient pam_succeed_if.so user ingroup wheel
The above allows anyone in the *local machine* unix group "wheel" to ssh in.
session sufficient pam_mkhomedir.so skel=/etc/skel umask=0027
The above creates home dirs and dot files for AD users when they login for the first time.