I have currently setup my linux box to accept user accounts from my Windows 2000 Active Directory Domain. Everything is working great and it is accepting all AD users.

Now I wish to secure SSH connections by group name. I am assuming I would just add the following line to the sshd_config file:

AllowGroups DOMAIN+groupname

However, this does not seem to work. Neither does AllowUsers at that matter.

I am able to run "getent groups" to receive group memberships and am able to verify that I am properly connected to the domain.

Guess my main question is: can I use WINBIND Groups in SSH security? If not, how else should I go about setting up this type of security?

If anyone needs to look at my code/logs, I will be more than happy to provide it.

THANKS TO ALL IN ADVANCE FOR HELP. Any suggestions or input will be appreciated.

Tried using "pam_winbind" in the auth and account parts of your /etc/pam.d/ssh* stack?

Thanks for the reply and the help. I actually found the problem, but was waiting to make sure it worked. For some reason there was a gid restriction in the main pam security file. It was restricting it by the generated GID Number of certain AD groups. Know idea why it did that.

Anyways, once I remove the restriction, it worked like a charm.

One thing I should note is that I cannot use AD groups with SPACES in the name. I tried using double-quotes (") for the AllowGroups command, but it didn't seem to like it.

Do you know if a way to allow spaces in the group name for the SSH configuration? If not, no big deal.

Thanks again for your help.