[Samba] id <username> - doesnt list all groups

Micha Ballmann ballmann at uni-landau.de
Tue Aug 7 11:15:00 UTC 2018 

Thank for your answer:

But i dont know understand why is following not working:

I want to restrict the ssh access for a special domain member:

In my "sshd_config" i added:

AllowGroups restrictaccess root

With user2 im able to login via ssh!

log: pam_krb5(sshd:auth): user user2 authenticated as user2 at ROOTRUDI.DE

With user1 im not!

log: User user1 from 192.168.0.100 not allowed because none of user's 
groups are listed in AllowGroups.

Have a look to my email previously "id user2" shows the group 
"restrictaccess " and "id user1" doesn't show. And i guess thats the 
reason why user2 is able to login and user1 not?

Thanks

Micha


Am 07.08.2018 um 12:41 schrieb Rowland Penny via samba:
> On Tue, 7 Aug 2018 12:20:04 +0200
> Micha Ballmann via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> my enviroment:
>>
>> All Servers are Ubuntun 16.04-18.04
>>
>> SAMBA AD DC Server and several SAMABA DOMAIN MEMBER (connected via
>> WINBIND). In ADDC I've created a group "restrictaccess" and added
>> some users.
>>
>> Now when im typing "id <username>" on a Domain Member, for some users
>> the group "restrictaccess" are listed for some not!
>>
>> For example:
>>
>> ON DC:
>>
>> # samba-tool group listmembers restrictaccess
>>
>> user1
>> user2
>>
>> ON Domain Member:
>>
>> # id user1
>>
>> uid=10065(user1) gid=10036(domain users) Gruppen=10036(domain
>> users),3001(BUILTIN\users)
>>
>> # id user2
>>
>> uid=20578(user2) gid=10036(domain users) Gruppen=10036(domain
>> users),*10153(**restrictaccess**)*,3001(BUILTIN\users)
>>
>> smb.conf on Domain Member:
>>
>> [global]
>>    security = ads
>>    realm = rootrudi.de
>>    workgroup = ROOTRUDI
>>    idmap config *: backend = tdb
>>    idmap config *: range = 3000-7999
>>    idmap config rootrudi:backend = ad
>>    idmap config rootrudi:range = 10000-999999
>>    idmap config rootrudi:schema_mode = rfc2307
>>    idmap config rootrudi:unix_nss_info = no
>>    template shell = /bin/bash
>>    template homedir = /home/%U
>>    domain master = No
>>    local master = No
>>    preferred master = No
>>    os level = 0
>>    restrict anonymous = 2
>>    winbind cache time = 10
>>    winbind enum groups = Yes
>>    winbind enum users = Yes
>>    winbind use default domain = Yes
>>    map acl inherit = Yes
>>    store dos attributes = Yes
>>    vfs objects = acl_xattr
>>
>> What happened?
>>
> Nothing, it is just that the user will not be logged in, this is from a
> unix domain member that the user 'emily' isn't logged into:
>
> id emily
> uid=10001(emily) gid=10000(domain users) groups=10000(domain users),2001(BUILTIN\users)
>
> And from one where she is:
>
> id emily
> uid=10001(emily) gid=10000(domain_users) groups=10000(domain_users),10002(unixgroup),10010(group12),2001(BUILTIN\users)
>
> Rowland
>
>

More information about the samba mailing list