[Samba] Winbind/Samba + sshd incorrect groups
Jeremy Allison
jra at samba.org
Tue Mar 26 12:08:04 GMT 2002
On Tue, Mar 26, 2002 at 12:45:29PM +0000, Mark Cooke wrote:
> I'm currently running it on a test server (before I roll it out to our 6
> live Linux box's)
> And its starting to drag on and drive me mad.
>
> O/S: RedHat 7.1
> Samba: 2.2.3a
>
> Ive got the whole system working nearly perfectly, as samba uses the
> 'MMGROUP+Domain Users' as the primary group, I wanted to restrict who can
> use SSH and samba on the workstations.
> So I created a specific group on the NT PDC called 'MMGROUP+Winbind' and In
> there placed 5 users.
> This generally works fine, by specifying in the /etc/ssh/sshd_config:
>
> AllowGroups MMGROUP+Winbind
>
> And also in the smb.conf file I've added:
>
> valid users = @MMGROUP+Winbind.
>
> I can allow access to who I require, just by adding them to the main group
> on the PDC.
>
> Now heres the wacky bit...
>
> It works fine for a few days, even weeks, then all of a sudden some users
> cannot login via ssh (but they can still browse the samba share)
> These users settings have not changed on the PDC at all, their passwd's and
> username have all stayed the same.
> There is nothing different or weird about their accounts either.
> Even removing them from the group, restarting samba and ssh and putting
> them back in doesn't cure the problem.
>
> In /var/log/secure I get the same error's for all the users that cannot log in
> (its not the same every time, the users can vary):
>
> sshd[15164]: User MMGROUP+mark not allowed because none of user's groups
> are listed in AllowGroups
> sshd[15164]: Failed password for illegal user MMGROUP+mark from
> 192.168.1.231 port 1055
>
> As you can see the section that says 'none of user's groups are listed in
> AllowGroups'
> yet the users are in the MMGROUP+Winbind, as running 'getent group' reviels
> this & verifying this also on the NT PDC.
>
> If I comment out the Allowgroups from the sshd_config file they can log in
> perfectly ok.
> To be honest it looked like a ssh problem at first, but thinking about it
> (and I may be wrong)
> It looks like Winbind it not giving ssh back the correct users from that group.
> I have tried different versions of ssh and samba and this is still hte same
> error, as I mentioned earlier, for a while it works, so its very
> intermittent, but one I get the errors listed above, thats it, it just
> refuses to let those users login.
> I did cure it once, by removing the affected users from the
> MMGROUP+Winbind, then put them back in, but even that doesn't work anymore
> for people.
> The PDC and Winbind are talking to each other ok, as If I add or remove
> users, it shows up on Winbind in about 10 seconds and again they work fine
> (unless I add the AllowGoups to ssh, which goes ga,ga after a while)
Try doing a wbinfo -r <user> to get the groups list
for that user - what does it say ?
Jeremy
More information about the samba
mailing list