[Samba] SerNet - Samba 4.3 and ssh password logins

L.P.H. van Belle belle at bazuin.nl
Mon Apr 11 14:48:48 UTC 2016 

This is not replication problems, bt id getting the UID on a DC is bit different as on a member server. 
Or is heinz an "linux" user and not a samba/windows user.

I've setup like this. 

1 or 2 linux users, only to maintain the linux systems. 
For these i use the ssh_linux_group 

For the windows logins i use the ssh_windows_group 
This one is the only one you should use for your users, because this one 

Above is only used for the member servers. 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

For my DC's.  
I dont have any windows users who my login there, thats off limit. 
But if you do want it, its possible also. 

For the DC. 
You need 

The template setttings also for homedir and shell. 
Make user these match like your DC's. 

And make sure also that the group ssh_allow has a GID. 
( abvoe 1000 because of the (possible) pam defaults) 

Test with id username on DC and member.  ( or getent passwd username ) 
Make user the username uid homedir and shell match. 


Greetz, 

Louis
^^
Louis.. Heinz.. not Luise..  ;-) 

Thats my grand mother..


> -----Oorspronkelijk bericht-----
> Van: Heinz Allerberger [mailto:allerberger at em.uni-frankfurt.de]
> Verzonden: maandag 11 april 2016 16:20
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] SerNet - Samba 4.3 and ssh password logins
> 
> High Luise,
> 
> thank you very much for your help. Now it works, but one failure is
> remained...
> 
> 1. sshd_config: AllowGroups ssh_allow
> 
> 2. samba-tool group add ssh_allow
> 
> 3. samba-tool group addmember ssh_allow testuser4
> 
> 3. ssh testsamba4 at 192.168.151.123
> heinz at neuro1000:~$ ssh testsamba4 at 192.168.151.123
> Password:
> Last login: Mon Apr 11 15:09:16 2016 from 192.168.151.111
> 
> NEW FAILURE:
> But "heinz" is member in group "ssh_allow" on DC1 are not be replicated
> to the memberserver 192.168.151.123. Other users, who I putted later
> into the group ssh_allow are immediately replicated,
> 
> root at dc1:~# samba-tool group listmembers ssh_allow
> heinz
> testsamba4
> 
> root at fileserver1:~#id heinz
> uid=1001340(heinz) gid=1000513(domain users) groups=1000513(domain
> users),1001340(heinz),1002797(neurologie),100001(BUILTIN\users)
> 
> root at fileserver1:~# id testsamba4
> uid=1002794(testsamba4) gid=1000513(domain users)
> groups=1000513(domainusers),1002794(testsamba4),1002805(ssh_allow),100001(
> BUILTIN\users)
> 
> Do you have an idea the reason why this membership of "heinz" are not
> replicated?
> 
> Greeting,
> Heinz
> 
> 
> Am 11.04.2016 um 14:58 schrieb L.P.H. van Belle:
> > Hai,
> >
> > I have
> > AllowGroups sshlinux, sshwindows
> >
> > Add at least 1 user in the linux group and at least 1 in the sshwindows
> group.
> >
> > Make sure the sshwindows group have a GID.
> > And make sure the windows user loggin in in ssh als have a UID.
> >
> > AND for both, UID 1000+  ( which is in debian the default PAM setting )
> .
> >
> > This is base on a "MEMBER" server.
> >
> > If you do :
> > getent windowsuser
> > You get uid gid homedir and shell ? and these are ok to login?
> >
> > If yes, is the home dir local on the server or shared ?
> >
> > If shares and IF kerberos base nfsv4 then you need some more.
> >
> > But first above, else im lots in al mails..
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Heinz
> Allerberger
> >> Verzonden: maandag 11 april 2016 14:10
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] SerNet - Samba 4.3 and ssh password logins
> >>
> >> Dear members of the samba-list, dear Luis,
> >>
> >> unfortunately it doesn't work. I believe, I do not understand the way I
> >> have to do it with the parameter AllowGroups into the ssh_config.
> >>
> >> I tried different ways to restrict Windows(Samba)-Users the login with
> >> ssh:
> >> ==============================================
> >> 1.) Into the sshd_config
> >> AllowUsers root mysamba-user
> >> /etc/init.d/ssh restart
> >>
> >> ...this works!
> >> Nobody else as root and mysamba-user can logon with ssh
> >>
> >> 2.) Into the sshd_config
> >> AllowGroups
> >>
> >> Into /etc/group
> >> ssh:x:105:mysamba-user
> >>
> >> /etc/init.d/ssh restart
> >> ...this doesnt work!
> >>
> >> 3.) Into sshd_config
> >> AllowGroups
> >>
> >> samba-tool group addmembers AllowGroups mysamba-user
> >> /etc/init.d/ssh restart
> >> ...this doesn't work!
> >>
> >> 4.) Into sshd_config
> >> AllowGroups AllowGroups
> >> samba-tool group addmembers AllowGroups mysamba-user
> >> /etc/init.d/ssh restart
> >> ...this doesn't work!
> >>
> >> Please could anybody tell me what I'm doing wrong?
> >>
> >> Regards,
> >> Heinz
> >>
> >>
> >>
> >>
> >> Am 06.04.2016 um 07:58 schrieb L.P.H. van Belle:
> >>> Thats pretty simple todo.
> >>>
> >>> Create a group on windows, add the allowed users in it.
> >>> Add
> >>> AllowGroups YourADGroup
> >>> In sshd_config
> >>> Restart ssh.
> >>>
> >>> You want unix and windows groups.
> >>> AllowGroups YourADGroup YourLinuxGroup
> >>>
> >>> Adduser Linuxgroup ( for the linux servers )
> >>>
> >>>
> >>> Greet,
> >>>
> >>> Louis
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Heinz
> >> Allerberger
> >>>> Verzonden: dinsdag 5 april 2016 19:31
> >>>> Aan: samba at lists.samba.org
> >>>> Onderwerp: [Samba] SerNet - Samba 4.3 and ssh password logins
> >>>>
> >>>> Hi everyone,
> >>>>
> >>>> I have a SerNet-Samba 4.3.6-10 AD which works fine.
> >>>>
> >>>> Now I try to implement a fileserver. It is a server with a lot of
> >>>> (old)-users, which have an Unix-Account. On this server are also
> users
> >>>> who should can login from the Internet over ssh.
> >>>>
> >>>> But now I'm running in trouble with the security of my fileserver.
> >>>> When I would install samba 4.3.6 on it and activate sernet-samba-
> client
> >>>> with winbind. Every user can login over ssh with his
> >>>> Windows-AD-password. This seems dangerous for me.
> >>>>
> >>>> I could live with this, but then it should be possible, that I can
> deny
> >>>> the ssh-login for some users who should not have the possibility to
> >>>> login from the Internet. But this users should be able to login into
> >> the
> >>>> domain with a windows-machine on the AD.
> >>>>
> >>>> How can I do that?
> >>>>
> >>>> Please don't be worry about my English. I'm German and it is not my
> >> mean
> >>>> language.
> >>>>
> >>>> Regards,
> >>>> Heinz
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >

More information about the samba mailing list