Web lists-archives.com

Re: [Samba] id <username> - doesnt list all groups




Thank for your answer:

But i dont know understand why is following not working:

I want to restrict the ssh access for a special domain member:

In my "sshd_config" i added:

AllowGroups restrictaccess root

With user2 im able to login via ssh!

log: pam_krb5(sshd:auth): user user2 authenticated as user2@xxxxxxxxxxx

With user1 im not!

log: User user1 from 192.168.0.100 not allowed because none of user's groups are listed in AllowGroups.

Have a look to my email previously "id user2" shows the group "restrictaccess " and "id user1" doesn't show. And i guess thats the reason why user2 is able to login and user1 not?

Thanks

Micha


Am 07.08.2018 um 12:41 schrieb Rowland Penny via samba:
On Tue, 7 Aug 2018 12:20:04 +0200
Micha Ballmann via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hello,

my enviroment:

All Servers are Ubuntun 16.04-18.04

SAMBA AD DC Server and several SAMABA DOMAIN MEMBER (connected via
WINBIND). In ADDC I've created a group "restrictaccess" and added
some users.

Now when im typing "id <username>" on a Domain Member, for some users
the group "restrictaccess" are listed for some not!

For example:

ON DC:

# samba-tool group listmembers restrictaccess

user1
user2

ON Domain Member:

# id user1

uid=10065(user1) gid=10036(domain users) Gruppen=10036(domain
users),3001(BUILTIN\users)

# id user2

uid=20578(user2) gid=10036(domain users) Gruppen=10036(domain
users),*10153(**restrictaccess**)*,3001(BUILTIN\users)

smb.conf on Domain Member:

[global]
   security = ads
   realm = rootrudi.de
   workgroup = ROOTRUDI
   idmap config *: backend = tdb
   idmap config *: range = 3000-7999
   idmap config rootrudi:backend = ad
   idmap config rootrudi:range = 10000-999999
   idmap config rootrudi:schema_mode = rfc2307
   idmap config rootrudi:unix_nss_info = no
   template shell = /bin/bash
   template homedir = /home/%U
   domain master = No
   local master = No
   preferred master = No
   os level = 0
   restrict anonymous = 2
   winbind cache time = 10
   winbind enum groups = Yes
   winbind enum users = Yes
   winbind use default domain = Yes
   map acl inherit = Yes
   store dos attributes = Yes
   vfs objects = acl_xattr

What happened?

Nothing, it is just that the user will not be logged in, this is from a
unix domain member that the user 'emily' isn't logged into:

id emily
uid=10001(emily) gid=10000(domain users) groups=10000(domain users),2001(BUILTIN\users)

And from one where she is:

id emily
uid=10001(emily) gid=10000(domain_users) groups=10000(domain_users),10002(unixgroup),10010(group12),2001(BUILTIN\users)

Rowland




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba