Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Winbind and pam - restrict all services except for samba access
Operating Systems Linux Red Hat Winbind and pam - restrict all services except for samba access Post 302594727 by klyne on Wednesday 1st of February 2012 04:47:51 AM
Old 02-01-2012
Winbind and pam - restrict all services except for samba access
Hi,

I have recently taken control of a number of RHEL5.3 servers that have samba shares setup on them and are authenticating using pam and winbind. My issue is that any user that has an active directory account can currently log in to the linux boxes using their ad credentials. I need to restrict all services except for samba access.

As a test to try and disable ssh I have tried adding the below line to /etc/pam.d/sshd but this has had the effect of stopping all new ssh connections. I hav also created the /etc/ssh_allow.pamlist file with the list of users that require access:

Code:
 
auth       required   pam_listfile.so onerr=fail item=user sense=allow file=/etc/ssh_allow.pamlist


/etc/pam.d/sshd

Code:
 
#%PAM-1.0
#auth       required   pam_listfile.so onerr=fail item=user sense=allow file=/etc/ssh_allow.pamlist
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

/etc/pam.d/system-auth-ac
Code:
 
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session required /lib/security/$ISA/pam_winbind.so use_first_pass

Any help would be greatly appreciated.

Thanks,
Keith
 

10 More Discussions You Might Find Interesting

1. Linux

Enable sudo for Win AD users authenticated with Linux samba winbind service

Hi everyone, I wonder if anyone ever came across the idea of unifying AD and Linux user accounts We have a Linux machine with 'samba' 'winbind' service configured to let Windows AD users to logon locally using their AD accounts and passwords. I can use 'su' to get to the local user privilege... (0 Replies)
Discussion started by: will_mike
0 Replies

2. SCO

Authentication problems with Active Directory/Samba/Winbind/Pam

Hi all. I'm having real trouble authenticating users against active directory for my SCO UnixWare 7.1.4 box running samba 3.0.24 (installed via Maintenance pack 4). I can list AD users/groups (after overcoming several hiccups) with wbinfo -g / wbinfo -u. I can use id to get a view an ad user ie:... (0 Replies)
Discussion started by: silk600
0 Replies

3. UNIX for Dummies Questions & Answers

Restrict user access.

Hi All, How can we restrict a particular user access to a particular shell in solaris 10. Thanks in Advance. (5 Replies)
Discussion started by: rama krishna
5 Replies

4. Red Hat

Restrict user access

Hi there I have an application user on my system that wants accesses to these file systems as such: rwx: /SAPO /SAPS12 /R3_888 /R3_888B /R3_888F /R3_888R r: /usr/sap these are the existing FS permissions:ownerships: # ls -ld /SAPO (9 Replies)
Discussion started by: hedkandi
9 Replies

5. Ubuntu

Restrict SUDO Access

Linux ubuntu 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux Hi Folks, Please help me. I am bit struck here. Here is the OS info. Linux ubuntu 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux I have a... (17 Replies)
Discussion started by: explorer007
17 Replies

6. Solaris

samba read write access to owner and no access to other users

Hi All, I want to configure samba share permission so that only directory creator/owner has a read and write permission and other users should not have any read/write access to that folder.Will that be possible and how can this be achieved within samba configuration. Regards, Sahil (1 Reply)
Discussion started by: sahil_shine
1 Replies

7. UNIX for Dummies Questions & Answers

Restrict access

I'm trying to use squid to restrict elinks' access to certain websites(only http traffic). I have tried some configs in squid.conf but no luck. Hope someone has a bit of time to explain me how can you make these config's :) ---------- Post updated at 05:40 PM ---------- Previous update was at... (1 Reply)
Discussion started by: Birnbacher
1 Replies

8. Red Hat

Samba/Winbind issue - Can't get user and group info from sub domains

Hi, We now have a Samba or Winbind issue. The Linux client under RHEL6 can not get Windows' AD sub-domain info. See the following output please. The main domain 'Global' is shown online, but the sub-domain 'Europe' and 'Asia' are shown offline although they are online. Commands 'wbinfo -u' and... (0 Replies)
Discussion started by: aixlover
0 Replies

9. AIX

Samba 3.6.22 on AIX 7.1 with Windows AD (Kerberos and winbind)

Hi all, I have installed samba 3.6.22 on AIX 7.1 and join a windows AD with success. All seem to work fine, I have configured smb.conf, methods.cfg, kerberos, user .... the following command work fine wbinfo -u, wbinfo -g, wbinfo -i, wbinfo -s, wbinfo -S, lsuser, id... The unique... (20 Replies)
Discussion started by: PhilippeA
20 Replies

10. UNIX for Advanced & Expert Users

Configure samba with PAM point 2 different LDAP

Hi, I would like to configure samba with PEM (with LDAP). I've already found, on the server, configured the PAM Authentication(with LDAP) for ssh. I wanted to know if it was possible to configure PAM for to authenticate to another LDAP only for SAMBA. Is possibile duplicate the... (2 Replies)
Discussion started by: mark888
2 Replies

LEARN ABOUT OPENSOLARIS

tdbbackup

TDBBACKUP(1M)						    System Administration tools 					     TDBBACKUP(1M)

NAME

       tdbbackup - tool for backing up and for validating the integrity of samba .tdb files

SYNOPSIS

       tdbbackup [-s suffix] [-v] [-h]

DESCRIPTION

       This tool is part of the samba(1) suite.

       tdbbackup is a tool that may be used to backup samba .tdb files. This tool may also be used to verify the integrity of the .tdb files prior
       to samba startup or during normal operation. If it finds file damage and it finds a prior backup the backup file will be restored.

OPTIONS

       -h
	   Get help information.

       -s suffix
	   The -s option allows the adminisistrator to specify a file backup extension. This way it is possible to keep a history of tdb backup
	   files by using a new suffix for each backup.

       -v
	   The -v will check the database for damages (currupt data) which if detected causes the backup to be restored.

COMMANDS

       GENERAL INFORMATION

       The tdbbackup utility can safely be run at any time. It was designed so that it can be used at any time to validate the integrity of tdb
       files, even during Samba operation. Typical usage for the command will be:

       tdbbackup [-s suffix] *.tdb

       Before restarting samba the following command may be run to validate .tdb files:

       tdbbackup -v [-s suffix] *.tdb

       Samba .tdb files are stored in various locations, be sure to run backup all .tdb file on the system. Important files includes:

       o    secrets.tdb - usual location is in the /usr/local/samba/private directory, or on some systems in /etc/samba.

       o    passdb.tdb - usual location is in the /usr/local/samba/private directory, or on some systems in /etc/samba.

       o    *.tdb located in the /usr/local/samba/var directory or on some systems in the /var/cache or /var/lib/samba directories.

VERSION

       This man page is correct for version 3.0 of the Samba suite.

AUTHOR

       The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open
       Source project similar to the way the Linux kernel is developed.

       The tdbbackup man page was written by John H Terpstra.

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +--------------------+----------------------+
       |  ATTRIBUTE TYPE    |	ATTRIBUTE VALUE    |
       +--------------------+----------------------+
       |Availability	    | SUNWsmbar, SUNWsmbau |
       +--------------------+----------------------+
       |Interface Stability | External		   |
       +--------------------+----------------------+
NOTES

       Source for Samba is available on http://opensolaris.org.

       Samba(7) delivers the set of four SMF(5) services as can be seen from the following example:

	    $ svcs samba wins winbind swat
	   STATE	  STIME    FMRI
	   disabled	  Apr_21   svc:/network/samba:default
	   disabled	  Apr_21   svc:/network/winbind:default
	   disabled	  Apr_21   svc:/network/wins:default
	   disabled	  Apr_21   svc:/network/swat:default

       where the services are:

	"samba"
	   runs the smbd daemon managing the CIFS sessions

	"wins"
	   runs the nmbd daemon enabling the browsing (WINS)

	"winbind"
	   runs the winbindd daemon making the domain idmap

	"swat"
	   Samba Web Administration Tool is a service providing access to browser-based Samba administration interface and on-line documentation.
	   The service runs on software loopback network interface on port 901/tcp, i.e. opening "http://localhost:901/" in browser will access
	   the SWAT service on local machine.

       Please note: SWAT uses HTTP Basic Authentication scheme where user name and passwords are sent over the network in clear text. In the SWAT
       case the user name is root. Transferring such sensitive data is advisable only on the software loopback network interface or over secure
       networks.

Samba 3.0							    01/19/2009							     TDBBACKUP(1M)
All times are GMT -4. The time now is 10:46 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy