[Samba] Winbind/Samba + sshd incorrect groups

Jeremy Allison jra at samba.org
Tue Mar 26 12:08:04 GMT 2002


On Tue, Mar 26, 2002 at 12:45:29PM +0000, Mark Cooke wrote:
> I'm currently running it on a test server (before I roll it out to our 6 
> live Linux box's)
> And its starting to drag on and drive me mad.
> 
> O/S: RedHat 7.1
> Samba: 2.2.3a
> 
> Ive got the whole system working nearly perfectly, as samba uses the 
> 'MMGROUP+Domain Users' as the primary group, I wanted to restrict who can 
> use SSH and samba on the workstations.
> So I created a specific group on the NT PDC called 'MMGROUP+Winbind' and In 
> there placed 5 users.
> This generally works fine, by specifying in the /etc/ssh/sshd_config:
> 
> AllowGroups MMGROUP+Winbind
> 
> And also in the smb.conf file I've added:
> 
> valid users =  @MMGROUP+Winbind.
> 
> I can allow access to who I require, just by adding them to the main group 
> on the PDC.
> 
> Now heres the wacky bit...
> 
> It works fine for a few days, even weeks, then all of a sudden some users 
> cannot login via ssh (but they can still browse the samba share)
> These users settings have not changed on the PDC at all, their passwd's and 
> username have all stayed the same.
> There is nothing different or weird about their accounts either.
> Even removing them from the group, restarting samba and ssh and putting 
> them back in doesn't cure the problem.
> 
> In /var/log/secure I get the same error's for all the users that cannot log in
> (its not the same every time, the users can vary):
> 
> sshd[15164]: User MMGROUP+mark not allowed because none of user's groups 
> are listed in AllowGroups
> sshd[15164]: Failed password for illegal user MMGROUP+mark from 
> 192.168.1.231 port 1055
> 
> As you can see the section that says 'none of user's groups are listed in 
> AllowGroups'
> yet the users are in the MMGROUP+Winbind, as running 'getent group' reviels 
> this & verifying this also on the NT PDC.
> 
> If I comment out the Allowgroups from the sshd_config file they can log in 
> perfectly ok.
> To be honest it looked like a ssh problem at first, but thinking about it 
> (and I may be wrong)
> It looks like Winbind it not giving ssh back the correct users from that group.
> I have tried different versions of ssh and samba and this is still hte same 
> error, as I mentioned earlier, for a while it works, so its very 
> intermittent, but one I get the errors listed above, thats it, it just 
> refuses to let those users login.
> I did cure it once, by removing the affected users from the 
> MMGROUP+Winbind, then put them back in, but even that doesn't work anymore 
> for people.
> The PDC and Winbind are talking to each other ok, as If I add or remove 
> users, it shows up on Winbind in about 10 seconds and again they work fine 
> (unless I add the AllowGoups to ssh, which goes ga,ga after a while)

Try doing a wbinfo -r <user> to get the groups list
for that user - what does it say ?

Jeremy




More information about the samba mailing list