Implementing System Policies with Samba=20

Revision as of 19:14, 26 September 2006 by Zogness (talk | contribs) (Active Directory group and Red Hat local group sshd login control via PAM)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Thanks to Anthony Ciarochi at Centeris for this solution.

I have a Centos (Red Hat-based) server that is now accessible to AD users AND local users via ssh. I can control which AD groups can login using the syntax below. Red Hat-based distros use "pam_stack" in pam.d which is quite different than Debian's "include" based pam.d.

cat /etc/pam.d/sshd

  1. ----------------------------snip------------------------------------------
  2. %PAM-1.0

auth required service=system-auth auth required account sufficient user ingroup sshlogin account sufficient user ingroup wheel password required service=system-auth session required service=system-auth session required session sufficient skel=/etc/skel umask=0027

  1. ----------------------------snip------------------------------------------

The critical lines are:

  account    sufficient user ingroup sshlogin

The above is to allow an AD group "sshlogin" to ssh in.

  account    sufficient user ingroup wheel

The above allows anyone in the *local machine* unix group "wheel" to ssh in.

  session    sufficient skel=/etc/skel umask=0027

The above creates home dirs and dot files for AD users when they login for the first time.