Re: AllowGroups in SSHD not working for domain accounts
- Date: Wed, 1 Aug 2018 14:28:56 -0400
- From: Jeffrey Walton <noloader@xxxxxxxxx>
- Subject: Re: AllowGroups in SSHD not working for domain accounts
On Wed, Aug 1, 2018 at 2:21 PM, Michal Zindulka
> Hi Cygwin team,
> I'm trying to setup SSHD with 'AllowGroups' option, but I've encountered
> following troubles.
> When I setup the 'AllowGroups SSHGROUP' option in 'sshd_config' file, then
> a local users who are members of 'SSHGROUP' are able to login without any
> issue. When I do the same for domain user, who is also member of local
> group 'SSHGROUP', the login will fail with following error in the log:
> 'User SSHUSER from <IP> not allowed because non of user's groups are listed
> in AllowGroups.
> When I try to list all users for my domain user using 'groups' command, it
> show only domain groups where the user belong + primary groups which is set
> in 'passwd' file.
> I was able to make it work, using a workaround, by set a local 'SSHGROUP'
> as a primary group in 'passwd' file for my domain user. Then this groups is
> was also displayed using 'groups' command and user was able to login, but
> it's not a suitable solution for me.
> I've tried also to assign my domain user to 'SSHGROUP' in 'group' file, but
> didn't help.
Not sure if it is related, but...
On Windows domains you are supposed to follow the UGLY model. The
letters of UGLY stand for:
Users into Global groups
Global into domain Local groups
You assign permissions
SSHGROUP should be a local group with members from the domain and global groups.
Of course, scratch this if the machinery is doing something different.
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple