Web lists-archives.com

AllowGroups in SSHD not working for domain accounts

Hi Cygwin team,

I'm trying to setup SSHD with 'AllowGroups' option, but I've encountered
following troubles.

When I setup the 'AllowGroups SSHGROUP' option in 'sshd_config' file, then
a local users who are members of 'SSHGROUP' are able to login without any
issue. When I do the same for domain user, who is also member of local
group 'SSHGROUP', the login will fail with following error in the log:

'User SSHUSER from <IP> not allowed because non of user's groups are listed
in AllowGroups.

When I try to list all users for my domain user using 'groups' command, it
show only domain groups where the user belong + primary groups which is set
in 'passwd' file.

I was able to make it work, using a workaround, by set a local 'SSHGROUP'
as a primary group in 'passwd' file for my domain user. Then this groups is
was also displayed using 'groups' command and user was able to login, but
it's not a suitable solution for me.

I've tried also to assign my domain user to 'SSHGROUP' in 'group' file, but
didn't help.

I'm running Windows Server 2012 R2 with Cygwin 2.10.0. SSHD service is
running under a local user. Tried as well to run a service under a domain
user, but it didn't help as well.

Is Cygwin capable such a solution and I'm doing something wrong, or the not
listing local groups for domain users is a default behaviour?

Thanks in advance.

Best regards,

*Zindulka Michal*

Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple