HPE Community
Operating System - HP-UX
1825942 Members
2534 Online
109689 Solutions
New Discussion

Re: Limit non-samba access using Winbind?

 
SOLVED
Go to solution
George A Bodnar
Trusted Contributor

‎03-24-2006 03:03 AM

‎03-24-2006 03:03 AM

Limit non-samba access using Winbind?

Trying to find the best way to implement Samba in our environment.

Using Active Directory integration and Winbind I can control access to the specific shares we want to create by using the Active Directory groups to limit access.

Since doing this requires adding winbind into nsswitch for passwd and group my question becomes ... what is the easiest/safest way to NOT compromise security on the server.

Specifically we only want a defined set of users (i.e. the ones with local accounts for now) to have access to the server via telnet, ftp, etc.

For Linux PAM is more granular and I can think of some ways to do this, but am not sure how this translates to HP-UX.

Anyone else dealing with this and suggestions on how to get around?
0 Kudos
Reply
4 REPLIES 4
Ivan Ferreira
Honored Contributor

‎03-24-2006 03:22 AM

‎03-24-2006 03:22 AM

Re: Limit non-samba access using Winbind?

I believe that the:

template shell = /bin/false

Parameter in the smb.conf file may help. If this shell is not known by the ftp server, ftp session will also be refused.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
George A Bodnar
Trusted Contributor

‎03-24-2006 04:57 AM

‎03-24-2006 04:57 AM

Re: Limit non-samba access using Winbind?

I thought of the "dummy" shell too, but looking to see if there is a more elegant way to do this.
0 Kudos
Reply
eric roseme
Respected Contributor

‎03-24-2006 05:49 AM

‎03-24-2006 05:49 AM

Solution

Re: Limit non-samba access using Winbind?

Hi George,

Most of the time I get the opposite question: How can I allow HP-UX logon/InetSvcs access using winbind, and the answer is that you cannot unless using pam_winbind, which we are not delivering with HP CIFS Server (yet). But you can always compile Opensource Samba --with-pam_winbind and do-it-yourself.

So for your question, you cannot get logon/InetSvcs access without a PAM module for winbind (which we do not have), and then configure it in pam.conf. For nsswitch, the current winbind entries are just for the UID/GID lookup for getpwent. I believe that "template shell" is intended for pam_winbind usage.

On a related note, when addressing this issue for unified login users (using the same LDAP/ADS user container for both HP-UX logon/InetSvc *and* CIFS/Samba) I recommend just setting the RFC 2307 attribute loginShell to /bin/false, or using pam_authz.

Eric Roseme
Reply
George A Bodnar
Trusted Contributor

‎03-24-2006 06:27 AM

‎03-24-2006 06:27 AM

Re: Limit non-samba access using Winbind?

Excellent - my ignorance was the answer :)

That makes perfect sense - if the PAM modules aren't changed access isn't modified.

I'm not as familiar with the HP setup for pam vs. Linux but looking now I do see it just says libpam_unix

Thank you
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.