[Samba] Winbind/Samba + sshd incorrect groups
Mark Cooke
mark at mmebs.co.uk
Tue Mar 26 04:47:12 GMT 2002
I'm currently running it on a test server (before I roll it out to our 6
live Linux box's)
And its starting to drag on and drive me mad.
O/S: RedHat 7.1
Samba: 2.2.3a
Ive got the whole system working nearly perfectly, as samba uses the
'MMGROUP+Domain Users' as the primary group, I wanted to restrict who can
use SSH and samba on the workstations.
So I created a specific group on the NT PDC called 'MMGROUP+Winbind' and In
there placed 5 users.
This generally works fine, by specifying in the /etc/ssh/sshd_config:
AllowGroups MMGROUP+Winbind
And also in the smb.conf file I've added:
valid users = @MMGROUP+Winbind.
I can allow access to who I require, just by adding them to the main group
on the PDC.
Now heres the wacky bit...
It works fine for a few days, even weeks, then all of a sudden some users
cannot login via ssh (but they can still browse the samba share)
These users settings have not changed on the PDC at all, their passwd's and
username have all stayed the same.
There is nothing different or weird about their accounts either.
Even removing them from the group, restarting samba and ssh and putting
them back in doesn't cure the problem.
In /var/log/secure I get the same error's for all the users that cannot log in
(its not the same every time, the users can vary):
sshd[15164]: User MMGROUP+mark not allowed because none of user's groups
are listed in AllowGroups
sshd[15164]: Failed password for illegal user MMGROUP+mark from
192.168.1.231 port 1055
As you can see the section that says 'none of user's groups are listed in
AllowGroups'
yet the users are in the MMGROUP+Winbind, as running 'getent group' reviels
this & verifying this also on the NT PDC.
If I comment out the Allowgroups from the sshd_config file they can log in
perfectly ok.
To be honest it looked like a ssh problem at first, but thinking about it
(and I may be wrong)
It looks like Winbind it not giving ssh back the correct users from that group.
I have tried different versions of ssh and samba and this is still hte same
error, as I mentioned earlier, for a while it works, so its very
intermittent, but one I get the errors listed above, thats it, it just
refuses to let those users login.
I did cure it once, by removing the affected users from the
MMGROUP+Winbind, then put them back in, but even that doesn't work anymore
for people.
The PDC and Winbind are talking to each other ok, as If I add or remove
users, it shows up on Winbind in about 10 seconds and again they work fine
(unless I add the AllowGoups to ssh, which goes ga,ga after a while)
Any help would be brilliant and thank you to everyone in advance..
Mark
-----
----------
Mark Cooke
Internet Operations Technician
MM Group Ltd
Tel: 8141 (Internal)
Tel: (0117) 9168141 (External)
Email: mark at mmebs.co.uk
http://www.mmgroup.co.uk
More information about the samba
mailing list