[Samba] Winbind/Samba + sshd incorrect groups

Tue Mar 26 20:21:12 GMT 2002

How have you configured ssh to use winbind?  Did you setup pam to do this?
Could you give some specifics on how you are getting the account information
to sshd.

--
Brian
----- Original Message -----
From: "Mark Cooke" <mark at mmebs.co.uk>
To: <samba at lists.samba.org>
Sent: Tuesday, March 26, 2002 6:45 AM
Subject: [Samba] Winbind/Samba + sshd incorrect groups

> I'm currently running it on a test server (before I roll it out to our 6
> live Linux box's)
> And its starting to drag on and drive me mad.
>
> O/S: RedHat 7.1
> Samba: 2.2.3a
>
> Ive got the whole system working nearly perfectly, as samba uses the
> 'MMGROUP+Domain Users' as the primary group, I wanted to restrict who can
> use SSH and samba on the workstations.
> So I created a specific group on the NT PDC called 'MMGROUP+Winbind' and
In
> there placed 5 users.
> This generally works fine, by specifying in the /etc/ssh/sshd_config:
>
> AllowGroups MMGROUP+Winbind
>
> And also in the smb.conf file I've added:
>
> valid users =  @MMGROUP+Winbind.
>
> I can allow access to who I require, just by adding them to the main group
> on the PDC.
>
> Now heres the wacky bit...
>
> It works fine for a few days, even weeks, then all of a sudden some users
> cannot login via ssh (but they can still browse the samba share)
> These users settings have not changed on the PDC at all, their passwd's
and
> username have all stayed the same.
> There is nothing different or weird about their accounts either.
> Even removing them from the group, restarting samba and ssh and putting
> them back in doesn't cure the problem.
>
> In /var/log/secure I get the same error's for all the users that cannot
log in
> (its not the same every time, the users can vary):
>
> sshd[15164]: User MMGROUP+mark not allowed because none of user's groups
> are listed in AllowGroups
> sshd[15164]: Failed password for illegal user MMGROUP+mark from
> 192.168.1.231 port 1055
>
> As you can see the section that says 'none of user's groups are listed in
> AllowGroups'
> yet the users are in the MMGROUP+Winbind, as running 'getent group'
reviels
> this & verifying this also on the NT PDC.
>
> If I comment out the Allowgroups from the sshd_config file they can log in
> perfectly ok.
> To be honest it looked like a ssh problem at first, but thinking about it
> (and I may be wrong)
> It looks like Winbind it not giving ssh back the correct users from that
group.
> I have tried different versions of ssh and samba and this is still hte
same
> error, as I mentioned earlier, for a while it works, so its very
> intermittent, but one I get the errors listed above, thats it, it just
> refuses to let those users login.
> I did cure it once, by removing the affected users from the
> MMGROUP+Winbind, then put them back in, but even that doesn't work anymore
> for people.
> The PDC and Winbind are talking to each other ok, as If I add or remove
> users, it shows up on Winbind in about 10 seconds and again they work fine
> (unless I add the AllowGoups to ssh, which goes ga,ga after a while)
>
> Any help would be brilliant and thank you to everyone in advance..
>
> Mark
>
> -----
> ----------
> Mark Cooke
> Internet Operations Technician
> MM Group Ltd
> Tel: 8141 (Internal)
> Tel: (0117) 9168141 (External)
> Email: mark at mmebs.co.uk
> http://www.mmgroup.co.uk
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>