[Samba] Winbind/Samba + sshd incorrect groups

Mark Cooke mark at mmebs.co.uk
Tue Mar 26 04:47:12 GMT 2002 

I'm currently running it on a test server (before I roll it out to our 6 
live Linux box's)
And its starting to drag on and drive me mad.

O/S: RedHat 7.1
Samba: 2.2.3a

Ive got the whole system working nearly perfectly, as samba uses the 
'MMGROUP+Domain Users' as the primary group, I wanted to restrict who can 
use SSH and samba on the workstations.
So I created a specific group on the NT PDC called 'MMGROUP+Winbind' and In 
there placed 5 users.
This generally works fine, by specifying in the /etc/ssh/sshd_config:

AllowGroups MMGROUP+Winbind

And also in the smb.conf file I've added:

valid users =  @MMGROUP+Winbind.

I can allow access to who I require, just by adding them to the main group 
on the PDC.

Now heres the wacky bit...

It works fine for a few days, even weeks, then all of a sudden some users 
cannot login via ssh (but they can still browse the samba share)
These users settings have not changed on the PDC at all, their passwd's and 
username have all stayed the same.
There is nothing different or weird about their accounts either.
Even removing them from the group, restarting samba and ssh and putting 
them back in doesn't cure the problem.

In /var/log/secure I get the same error's for all the users that cannot log in
(its not the same every time, the users can vary):

sshd[15164]: User MMGROUP+mark not allowed because none of user's groups 
are listed in AllowGroups
sshd[15164]: Failed password for illegal user MMGROUP+mark from 
192.168.1.231 port 1055

As you can see the section that says 'none of user's groups are listed in 
AllowGroups'
yet the users are in the MMGROUP+Winbind, as running 'getent group' reviels 
this & verifying this also on the NT PDC.

If I comment out the Allowgroups from the sshd_config file they can log in 
perfectly ok.
To be honest it looked like a ssh problem at first, but thinking about it 
(and I may be wrong)
It looks like Winbind it not giving ssh back the correct users from that group.
I have tried different versions of ssh and samba and this is still hte same 
error, as I mentioned earlier, for a while it works, so its very 
intermittent, but one I get the errors listed above, thats it, it just 
refuses to let those users login.
I did cure it once, by removing the affected users from the 
MMGROUP+Winbind, then put them back in, but even that doesn't work anymore 
for people.
The PDC and Winbind are talking to each other ok, as If I add or remove 
users, it shows up on Winbind in about 10 seconds and again they work fine 
(unless I add the AllowGoups to ssh, which goes ga,ga after a while)

Any help would be brilliant and thank you to everyone in advance..

Mark

-----
----------
Mark Cooke
Internet Operations Technician
MM Group Ltd
Tel: 8141 (Internal)
Tel: (0117) 9168141 (External)
Email: mark at mmebs.co.uk
http://www.mmgroup.co.uk

More information about the samba mailing list