https://community.hpe.com/t5/operating-system-hp-ux/limit-non-samba-access-using-winbind/m-p/3758552#M784833 Hi George,<BR /><BR />Most of the time I get the opposite question: How can I allow HP-UX logon/InetSvcs access using winbind, and the answer is that you cannot unless using pam_winbind, which we are not delivering with HP CIFS Server (yet). But you can always compile Opensource Samba --with-pam_winbind and do-it-yourself.<BR /><BR />So for your question, you cannot get logon/InetSvcs access without a PAM module for winbind (which we do not have), and then configure it in pam.conf. For nsswitch, the current winbind entries are just for the UID/GID lookup for getpwent. I believe that "template shell" is intended for pam_winbind usage.<BR /><BR />On a related note, when addressing this issue for unified login users (using the same LDAP/ADS user container for both HP-UX logon/InetSvc *and* CIFS/Samba) I recommend just setting the RFC 2307 attribute loginShell to /bin/false, or using pam_authz.<BR /><BR />Eric Roseme Fri, 24 Mar 2006 13:49:27 GMT eric roseme 2006-03-24T13:49:27Z https://community.hpe.com/t5/operating-system-hp-ux/limit-non-samba-access-using-winbind/m-p/3758549#M784830 Trying to find the best way to implement Samba in our environment.<BR /><BR />Using Active Directory integration and Winbind I can control access to the specific shares we want to create by using the Active Directory groups to limit access.<BR /><BR />Since doing this requires adding winbind into nsswitch for passwd and group my question becomes ... what is the easiest/safest way to NOT compromise security on the server.<BR /><BR />Specifically we only want a defined set of users (i.e. the ones with local accounts for now) to have access to the server via telnet, ftp, etc.<BR /><BR />For Linux PAM is more granular and I can think of some ways to do this, but am not sure how this translates to HP-UX.<BR /><BR />Anyone else dealing with this and suggestions on how to get around? Fri, 24 Mar 2006 11:03:49 GMT https://community.hpe.com/t5/operating-system-hp-ux/limit-non-samba-access-using-winbind/m-p/3758549#M784830 George A Bodnar 2006-03-24T11:03:49Z https://community.hpe.com/t5/operating-system-hp-ux/limit-non-samba-access-using-winbind/m-p/3758550#M784831 I believe that the:<BR /><BR />template shell = /bin/false<BR /><BR />Parameter in the smb.conf file may help. If this shell is not known by the ftp server, ftp session will also be refused. Fri, 24 Mar 2006 11:22:58 GMT https://community.hpe.com/t5/operating-system-hp-ux/limit-non-samba-access-using-winbind/m-p/3758550#M784831 Ivan Ferreira 2006-03-24T11:22:58Z https://community.hpe.com/t5/operating-system-hp-ux/limit-non-samba-access-using-winbind/m-p/3758551#M784832 I thought of the "dummy" shell too, but looking to see if there is a more elegant way to do this. Fri, 24 Mar 2006 12:57:04 GMT https://community.hpe.com/t5/operating-system-hp-ux/limit-non-samba-access-using-winbind/m-p/3758551#M784832 George A Bodnar 2006-03-24T12:57:04Z https://community.hpe.com/t5/operating-system-hp-ux/limit-non-samba-access-using-winbind/m-p/3758552#M784833 Hi George,<BR /><BR />Most of the time I get the opposite question: How can I allow HP-UX logon/InetSvcs access using winbind, and the answer is that you cannot unless using pam_winbind, which we are not delivering with HP CIFS Server (yet). But you can always compile Opensource Samba --with-pam_winbind and do-it-yourself.<BR /><BR />So for your question, you cannot get logon/InetSvcs access without a PAM module for winbind (which we do not have), and then configure it in pam.conf. For nsswitch, the current winbind entries are just for the UID/GID lookup for getpwent. I believe that "template shell" is intended for pam_winbind usage.<BR /><BR />On a related note, when addressing this issue for unified login users (using the same LDAP/ADS user container for both HP-UX logon/InetSvc *and* CIFS/Samba) I recommend just setting the RFC 2307 attribute loginShell to /bin/false, or using pam_authz.<BR /><BR />Eric Roseme Fri, 24 Mar 2006 13:49:27 GMT https://community.hpe.com/t5/operating-system-hp-ux/limit-non-samba-access-using-winbind/m-p/3758552#M784833 eric roseme 2006-03-24T13:49:27Z https://community.hpe.com/t5/operating-system-hp-ux/limit-non-samba-access-using-winbind/m-p/3758553#M784834 Excellent - my ignorance was the answer :)<BR /><BR />That makes perfect sense - if the PAM modules aren't changed access isn't modified.<BR /><BR />I'm not as familiar with the HP setup for pam vs. Linux but looking now I do see it just says libpam_unix<BR /><BR />Thank you Fri, 24 Mar 2006 14:27:06 GMT https://community.hpe.com/t5/operating-system-hp-ux/limit-non-samba-access-using-winbind/m-p/3758553#M784834 George A Bodnar 2006-03-24T14:27:06Z