Restricting AD group logging on to Servers

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Restricting AD group logging on to Servers

Samba - General mailing list
Hi,
I have a Debian Stretch system running a self-compiled version 4.7.3 of Samba.     Having followed the Samba WiKi to allow AD users
to log onto the servers using PAM authentication, I now want to restrict access to specified group(s).   So I created a linuxadmins
group and made some test users members of the group.

Initially I tried to restrict access by modifying /etc/security/access.conf and adding a file to /usr/share/pam-configs containing
Auth: required pam_access.so.   This works OK for normal users, including AD users, but I cannot get it to work for AD groups.   For
example, I wanted to deny Domain Users, but allow linuxadmins.     I have tried all variations eg DOMAIN\Domain Users,
DOMAIN\\Domain Users, Domain Users, domain users;    in quotes or not, with () as per the man page but cannot get this to work - ie
no matter what I enter all AD users are allowed to log in (using SSH).

Searching the net I found reference to the pam_winbind.conf file in /etc/security.    This did not exist, so I created a file
containing the line: require_membership_of=DOMAIN\\linuxadmins   but this has no effect.   The man pages for pam_winbind and
pam_winbind.conf indicate it has been built for Samba v4.7 but states "is correct for version 3 of Samba".   So I assume it's no
longer used for version 4?

On member servers, setting the user's shell to /bin/false in the Unix Attributes tab of ADUC will prevent access, but this doesn't
work for the DCs as this value is ignored.

So how can this be done?  

Many thanks,

Roy


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Restricting AD group logging on to Servers

Samba - General mailing list
On Fri, 1 Dec 2017 17:06:42 -0000
Roy Eastwood via samba <[hidden email]> wrote:

> Hi,
> I have a Debian Stretch system running a self-compiled version 4.7.3
> of Samba.     Having followed the Samba WiKi to allow AD users to log
> onto the servers using PAM authentication, I now want to restrict
> access to specified group(s).   So I created a linuxadmins group and
> made some test users members of the group.
>
> Initially I tried to restrict access by
> modifying /etc/security/access.conf and adding a file
> to /usr/share/pam-configs containing Auth: required pam_access.so.
> This works OK for normal users, including AD users, but I cannot get
> it to work for AD groups.   For example, I wanted to deny Domain
> Users, but allow linuxadmins.     I have tried all variations eg
> DOMAIN\Domain Users, DOMAIN\\Domain Users, Domain Users, domain
> users;    in quotes or not, with () as per the man page but cannot
> get this to work - ie no matter what I enter all AD users are allowed
> to log in (using SSH).
>
> Searching the net I found reference to the pam_winbind.conf file
> in /etc/security.    This did not exist, so I created a file
> containing the line: require_membership_of=DOMAIN\\linuxadmins   but
> this has no effect.   The man pages for pam_winbind and
> pam_winbind.conf indicate it has been built for Samba v4.7 but states
> "is correct for version 3 of Samba".   So I assume it's no longer
> used for version 4?
>
> On member servers, setting the user's shell to /bin/false in the Unix
> Attributes tab of ADUC will prevent access, but this doesn't work for
> the DCs as this value is ignored.
>
> So how can this be done?  
>
> Many thanks,
>
> Roy
>
>

try adding the 'require_membership_of' line to the winbind auth line in
PAM.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Restricting AD group logging on to Servers

Samba - General mailing list
> -----Original Message-----
> From: Rowland Penny [mailto:[hidden email]]
> Sent: 01 December 2017 17:40
> To: [hidden email]
> Cc: Roy Eastwood
> Subject: Re: [Samba] Restricting AD group logging on to Servers
>
> On Fri, 1 Dec 2017 17:06:42 -0000
> Roy Eastwood via samba <[hidden email]> wrote:
>
> > Hi,
> > I have a Debian Stretch system running a self-compiled version 4.7.3
> > of Samba.     Having followed the Samba WiKi to allow AD users to log
> > onto the servers using PAM authentication, I now want to restrict
> > access to specified group(s).   So I created a linuxadmins group and
> > made some test users members of the group.
> >
> > Initially I tried to restrict access by
> > modifying /etc/security/access.conf and adding a file
> > to /usr/share/pam-configs containing Auth: required pam_access.so.
> > This works OK for normal users, including AD users, but I cannot get
> > it to work for AD groups.   For example, I wanted to deny Domain
> > Users, but allow linuxadmins.     I have tried all variations eg
> > DOMAIN\Domain Users, DOMAIN\\Domain Users, Domain Users, domain
> > users;    in quotes or not, with () as per the man page but cannot
> > get this to work - ie no matter what I enter all AD users are allowed
> > to log in (using SSH).
> >
> > Searching the net I found reference to the pam_winbind.conf file
> > in /etc/security.    This did not exist, so I created a file
> > containing the line: require_membership_of=DOMAIN\\linuxadmins   but
> > this has no effect.   The man pages for pam_winbind and
> > pam_winbind.conf indicate it has been built for Samba v4.7 but states
> > "is correct for version 3 of Samba".   So I assume it's no longer
> > used for version 4?
> >
> > On member servers, setting the user's shell to /bin/false in the Unix
> > Attributes tab of ADUC will prevent access, but this doesn't work for
> > the DCs as this value is ignored.
> >
> > So how can this be done?
> >
> > Many thanks,
> >
> > Roy
> >
> >
>
> try adding the 'require_membership_of' line to the winbind auth line in
> PAM.
>
> Rowland

Thanks Rowland, that did the trick and is the simplest solution.  

Found that only one \ was required to separate the domain part from the group name part - ie DOMAIN\linuxadmins rather than
DOMAIN\\linuxadmins.   (the man page for pam_winbind.conf suggests two \\ are needed).

Regards,
Roy


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Restricting AD group logging on to Servers

Samba - General mailing list
On Fri, 2017-12-01 at 18:04 +0000, Roy Eastwood via samba wrote:

> > -----Original Message-----
> > From: Rowland Penny [mailto:[hidden email]]
> > Sent: 01 December 2017 17:40
> > To: [hidden email]
> > Cc: Roy Eastwood
> > Subject: Re: [Samba] Restricting AD group logging on to Servers
> >
> > On Fri, 1 Dec 2017 17:06:42 -0000
> > Roy Eastwood via samba <[hidden email]> wrote:
> >
> > > Hi,
> > > I have a Debian Stretch system running a self-compiled version 4.7.3
> > > of Samba.     Having followed the Samba WiKi to allow AD users to log
> > > onto the servers using PAM authentication, I now want to restrict
> > > access to specified group(s).   So I created a linuxadmins group and
> > > made some test users members of the group.
> > >
> > > Initially I tried to restrict access by
> > > modifying /etc/security/access.conf and adding a file
> > > to /usr/share/pam-configs containing Auth: required pam_access.so.
> > > This works OK for normal users, including AD users, but I cannot get
> > > it to work for AD groups.   For example, I wanted to deny Domain
> > > Users, but allow linuxadmins.     I have tried all variations eg
> > > DOMAIN\Domain Users, DOMAIN\\Domain Users, Domain Users, domain
> > > users;    in quotes or not, with () as per the man page but cannot
> > > get this to work - ie no matter what I enter all AD users are allowed
> > > to log in (using SSH).
> > >
> > > Searching the net I found reference to the pam_winbind.conf file
> > > in /etc/security.    This did not exist, so I created a file
> > > containing the line: require_membership_of=DOMAIN\\linuxadmins   but
> > > this has no effect.   The man pages for pam_winbind and
> > > pam_winbind.conf indicate it has been built for Samba v4.7 but states
> > > "is correct for version 3 of Samba".   So I assume it's no longer
> > > used for version 4?
> > >
> > > On member servers, setting the user's shell to /bin/false in the Unix
> > > Attributes tab of ADUC will prevent access, but this doesn't work for
> > > the DCs as this value is ignored.
> > >
> > > So how can this be done?
> > >
> > > Many thanks,
> > >
> > > Roy
> > >
> > >
> >
> > try adding the 'require_membership_of' line to the winbind auth line in
> > PAM.
> >
> > Rowland
>
> Thanks Rowland, that did the trick and is the simplest solution.  
>
> Found that only one \ was required to separate the domain part from the group name part - ie DOMAIN\linuxadmins rather than
> DOMAIN\\linuxadmins.   (the man page for pam_winbind.conf suggests two \\ are needed)

Just one thing on that.  Remember that this is not checked by SSH for
authorized_keys based logins, it is run on the password checking path
only.  As long as they can't add such keys (no home dir) that is fine,
but just be aware.

I take it you have set a template shell and that is why you have access
at all?

Thanks,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Restricting AD group logging on to Servers

Samba - General mailing list
[snip]
> > > try adding the 'require_membership_of' line to the winbind auth line in
> > > PAM.

> > > Rowland
> > Thanks Rowland, that did the trick and is the simplest solution.
> >
> > Found that only one \ was required to separate the domain part from the group name part - ie DOMAIN\linuxadmins rather than
> > DOMAIN\\linuxadmins.   (the man page for pam_winbind.conf suggests two \\ are needed)
>
> Just one thing on that.  Remember that this is not checked by SSH for
> authorized_keys based logins, it is run on the password checking path
> only.  As long as they can't add such keys (no home dir) that is fine,
> but just be aware.
>
> I take it you have set a template shell and that is why you have access
> at all?
>
> Thanks,
>
> Andrew Bartlett
>
Thanks for pointing this out - I hadn't realised that.   Yes I have set a template in smb.conf for shell and home dir on the DCs but use the unix attributes in AD for member servers.   So to prevent such logons, I should not set the home dir template or should I set it to /dev/null or similar non-existent dir?

Thanks,

Roy


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Restricting AD group logging on to Servers

Samba - General mailing list
On Sat, 2 Dec 2017 09:15:02 -0000
Roy Eastwood via samba <[hidden email]> wrote:

> [snip]
> > > > try adding the 'require_membership_of' line to the winbind auth
> > > > line in PAM.
>
> > > > Rowland
> > > Thanks Rowland, that did the trick and is the simplest solution.
> > >
> > > Found that only one \ was required to separate the domain part
> > > from the group name part - ie DOMAIN\linuxadmins rather than
> > > DOMAIN\\linuxadmins.   (the man page for pam_winbind.conf
> > > suggests two \\ are needed)
> >
> > Just one thing on that.  Remember that this is not checked by SSH
> > for authorized_keys based logins, it is run on the password
> > checking path only.  As long as they can't add such keys (no home
> > dir) that is fine, but just be aware.
> >
> > I take it you have set a template shell and that is why you have
> > access at all?
> >
> > Thanks,
> >
> > Andrew Bartlett
> >
> Thanks for pointing this out - I hadn't realised that.   Yes I have
> set a template in smb.conf for shell and home dir on the DCs but use
> the unix attributes in AD for member servers.   So to prevent such
> logons, I should not set the home dir template or should I set it
> to /dev/null or similar non-existent dir?
>
> Thanks,
>
> Roy
>
>

I think Andrew has thrown you a curved ball here. By default on a DC,
the logon shell is /bin/false and the homedirectory is '/home/%D/%U.
That is, no users can log in, but if they could, they would get a
homedir in /home/DOMAIN/username. So, as far as a DC is concerned, if
you want anybody to logon, you must change the template shell
parameter, but this would allow any user to logon. If you change the
home dir template, this will also be used for all users, so if one
group cannot logon, no one can logon.

Your way of only allowing members of one group to logon is probably the
only way to go. If a user doesn't have a home dir created they cannot
logon and if they cannot logon, they will not get a home dir created,
so there will be nowhere to store any ssh keys.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Restricting AD group logging on to Servers

Samba - General mailing list
> > > Just one thing on that.  Remember that this is not checked by SSH
> > > for authorized_keys based logins, it is run on the password
> > > checking path only.  As long as they can't add such keys (no home
> > > dir) that is fine, but just be aware.
> > >
> > > I take it you have set a template shell and that is why you have
> > > access at all?
> > >
> > > Thanks,
> > >
> > > Andrew Bartlett
> > >
> > Thanks for pointing this out - I hadn't realised that.   Yes I have
> > set a template in smb.conf for shell and home dir on the DCs but use
> > the unix attributes in AD for member servers.   So to prevent such
> > logons, I should not set the home dir template or should I set it
> > to /dev/null or similar non-existent dir?
> >
> > Thanks,
> >
> > Roy
> >
> >
>
> I think Andrew has thrown you a curved ball here. By default on a DC,
> the logon shell is /bin/false and the homedirectory is '/home/%D/%U.
> That is, no users can log in, but if they could, they would get a
> homedir in /home/DOMAIN/username. So, as far as a DC is concerned, if
> you want anybody to logon, you must change the template shell
> parameter, but this would allow any user to logon. If you change the
> home dir template, this will also be used for all users, so if one
> group cannot logon, no one can logon.
>
> Your way of only allowing members of one group to logon is probably the
> only way to go. If a user doesn't have a home dir created they cannot
> logon and if they cannot logon, they will not get a home dir created,
> so there will be nowhere to store any ssh keys.
>
> Rowland
>
Hi Rowland,

Thanks for clarifying that.     However if I set the template homedir in smb.conf to /dev/null the user can still log on, and an error message is displayed, but the user is left at the root of the filing system (/).   Maybe I have some setting incorrect?              So I did some tests.

1) I set up a test user.   This user is not a member of linuxadmins, so should not be able to log on to the servers using ssh (or at the console).
2) Set the users unix home directory to be the same as in AD for windows.
3) Logged on to a Windows computer using the test user's credentials.
4) Used PuttyGen to generate public and private keys for use with ssh.
5) Created the folder .ssh in the user's home folder on the server.
6) copied the public key to the authorized_keys file in the user's .ssh folder.

I found I was able to log on to the server with ssh using the keys!  The solution therefore is to ensure the user doesn't have a (unix) home folder (or one that's  inaccessible to the user  from the network) as Andrew suggests.   Along with the required group membership should ensure only those authorised to connect will be able to do so.

Thanks again to Andrew and Rowland.   I think I understand it now!  ;-)
Roy


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Restricting AD group logging on to Servers

Samba - General mailing list
In reply to this post by Samba - General mailing list
Mandi! Roy Eastwood via samba
  In chel di` si favelave...

> or should I set it to /dev/null or similar non-existent dir?

Pay a little attention to that.

If you set an invalid shell for users, in newer debian this can lead to
minor trouble (eg; if you run scripts for users with 'su', they did not work or
you have to run with explicit shell).


I prefere to have all users with valid shell, and act elsewhere (eg, in
SSH in 'authorized-groups').

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Restricting AD group logging on to Servers

Samba - General mailing list
Thanks Marco, see inline comments below.

> -----Original Message-----
> From: samba [mailto:[hidden email]] On Behalf Of Marco Gaiarin via samba
> Sent: 04 December 2017 08:38
> To: [hidden email]
> Subject: Re: [Samba] Restricting AD group logging on to Servers
>
> Mandi! Roy Eastwood via samba
>   In chel di` si favelave...
>
> > or should I set it to /dev/null or similar non-existent dir?
>
> Pay a little attention to that.
>
> If you set an invalid shell for users, in newer debian this can lead to
> minor trouble (eg; if you run scripts for users with 'su', they did not work or
> you have to run with explicit shell).
>

This was not for the shell, but for the homedir setting - to prevent a user logging on with key authentication (nowhere for the user to save a public key).

>
> I prefere to have all users with valid shell, and act elsewhere (eg, in
> SSH in 'authorized-groups').
>
> --
> dott. Marco Gaiarin        GNUPG Key ID: 240A3D66

Regards,

Roy


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba