SSH Remote Access

This procedure will install the SSH service, which provides remote access to the server.

Login as the root user.
[screenshot]
Update the package list.
# apt-get update
Install ssh.
# apt-get install ssh
Answer the questions as follows:
[screenshot] Allow SSH protocol 2 only? Yes
[screenshot] Do you want /usr/lib/ssh-keysign to be installed SUID root? Yes
[screenshot] Do you want to run the sshd server? Yes

Change the ssh pam file to use domain authentication.

# mcedit /etc/pam.d/ssh
[screenshot]

Change the file to read as follows:

auth       sufficient   pam_winbind.so
auth       required     pam_unix.so use_first_pass
auth       required     pam_env.so

account    required     pam_winbind.so

session    required     pam_unix.so
session    required     pam_limits.so
session    optional     pam_motd.so
#session   optional     pam_lastlog.so
session    optional     pam_mail.so standard noenv dir=~/Maildir/

password   required     pam_unix.so

With this configuration, the SSH service will check the local accounts database if domain authentication fails.

Note: The pam_winbind module provides the pam_unix accounting facility.

Create the /usr/local/bin/bash-wrapper script.
The script reads as follows:
[bash-wrapper]
When invoked as a login shell, this script will prevent non-privileged users from obtaining a shell.
Make the /usr/local/bin/bash-wrapper script executable.
# chmod -v 775 /usr/local/bin/bash-wrapper
[screenshot]
When invoked as a login shell, this script will restrict access to members of the Domain Admins group and to members of the local wheel group.
Note: Domain users can be members of local unix groups.
Note: Do not use the pam_wheel module here, it won't work.
Change the winbind template shell to the bash-wrapper. (If you wish to grant shell access to regular users, then skip this step.)
# mcedit /etc/samba/smb.conf
[screenshot]
Set this option:
template shell = /usr/local/bin/bash-wrapper