FWIW, as a workaround what you can do is create a group which contains
disabled users on the AD (e.g., "DisabledUsers"), and add the following
directive to /etc/ssh/sshd_config:
DenyGroups DisabledUsers
Then, whenever you disable a user on the AD you also include it into the
"DisabledUsers" group
Thank you for the further details.
Indeed, I was able to reproduce and confirm this locally. It is a
limitation of winbind. In fact, I have found an upstream bug about this
problem:
https://bugzilla.samba.org/show_bug.cgi?id=14622
The "good news" is that upstream is aware of such limitation.
Hi,
My concern specifically centers around SSH key auth, but in more general
terms, Ubuntu makes a distinction between an account being locked, and a
password being locked. So far as I can tell, Samba/AD do not make that
distinction, but in any case the operation 'samba-tool user disable
' is desc
(To clarify my first paragraph: 'samba-tool user disable' has a similar
effect to 'passwd -l', but the phraseology and description from --help,
as well as the phraseology in the Microsoft AD Users & Computers tool,
imply that it should have a similar effect to 'usermod -e 1')
--
You received this
Thanks for the bug report and apologies for the delay in getting back to
you.
I configured a Bionic VM acting as an AD member, joined the AD, and then
disabled one of the users in the AD DC. I noticed that issuing a "login
inva...@ad1.example.com" correctly displays the following message:
# logi
** Changed in: samba (Ubuntu)
Status: Expired => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1913851
Title:
pam_winbind should reject disabled users
To manage notifications abo
[Expired for samba (Ubuntu) because there has been no activity for 60
days.]
** Changed in: samba (Ubuntu)
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/19
It is, I believe, the default line added by pam-auth-update:
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central acce
Can you double-check that your pam configuration for pam_winbind is
configured to use required or requisite rather than sufficient?
It's possible that the required or requisite defaults aren't sufficient
but may still be possible to configure using the more complicated pam
syntax. Search for 'valu
