Allowed Users with Samba-Winbind

[14karat]

I'm having a heckuva time finding a clear answer to this, so here goes...
I have a server setup to authenticate users with Active Directory - using winbind.
Basically I just used the 'system-config-authentication' tool and breezed through that. It works like a charm.
BUT - I only have a handful of users I want to grant access to the server.
Without manually going and setting up accounts for each of them (because this is done automatically at their first login now) what is the best way to limit access to a certain list of users?
access.conf was my initial thought, but is there a better method?
If it is access.conf - then I have a problem there... but I'll wait for this answer first!

Thanks all.

[HROAdmin26]

limit access to a certain list of users

A list of users is a...group....

Google: samba group permission

Some O'reilly book

Code:

[accounting]
	comment = Accounting Department Directory
	writeable = yes
	valid users = @account
	path = /home/samba/accounting
	create mode = 0660
	directory mode = 0770

[14karat]

Thanks, but...
That will limit access to a path, correct?
I need to limit the users who can logon to the server.

[HROAdmin26]

If by "login" you mean to a desktop GUI, see here for an example of using AD for this.

[14karat]

Let me rephrase this...
I have configured a Redhat server (EL 5 Upd 4) to authenticate users from Active Directory using Winbind (via the system-config-authentication tool).
We have 2500+ users in Active Directory that can now login to this server (via ssh - I don't allow anything else) and their user homes (/home/$USER_NAME) will be created when they login.
I only have about 25-30 users who I want to allow to login.
What is the best method for doing this?
I thought /etc/security/access.conf at first, but didn't know if there was a better method.

[HROAdmin26]

Verify what your Samba template is using when auto-adding users to the passwd file. If the shell is being set to /bin/false, they will not have SSH access. Enable a valid shell for the users that are allowed to log in.

More Google

Also notice that the domain users default shell is listed as /bin/false, which is the default. This prevents these users from logging in from the console. The "template shell =" option is used in smb.conf to specify a shell for the users.

[14karat]

Well...
The domain users aren't added to passwd by default...
I decided to just set the default shell to /bin/false and manually added the ones I needed into passwd with /bin/bash.
Sucks because I have to id each user and add that into passwd.
I'm sure there's probably an easier way, but, this works, so I'll let it go.
Thanks.