[Samba] id <username> - doesnt list all groups
Micha Ballmann
ballmann at uni-landau.de
Tue Aug 7 11:15:00 UTC 2018
Thank for your answer:
But i dont know understand why is following not working:
I want to restrict the ssh access for a special domain member:
In my "sshd_config" i added:
AllowGroups restrictaccess root
With user2 im able to login via ssh!
log: pam_krb5(sshd:auth): user user2 authenticated as user2 at ROOTRUDI.DE
With user1 im not!
log: User user1 from 192.168.0.100 not allowed because none of user's
groups are listed in AllowGroups.
Have a look to my email previously "id user2" shows the group
"restrictaccess " and "id user1" doesn't show. And i guess thats the
reason why user2 is able to login and user1 not?
Thanks
Micha
Am 07.08.2018 um 12:41 schrieb Rowland Penny via samba:
> On Tue, 7 Aug 2018 12:20:04 +0200
> Micha Ballmann via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> my enviroment:
>>
>> All Servers are Ubuntun 16.04-18.04
>>
>> SAMBA AD DC Server and several SAMABA DOMAIN MEMBER (connected via
>> WINBIND). In ADDC I've created a group "restrictaccess" and added
>> some users.
>>
>> Now when im typing "id <username>" on a Domain Member, for some users
>> the group "restrictaccess" are listed for some not!
>>
>> For example:
>>
>> ON DC:
>>
>> # samba-tool group listmembers restrictaccess
>>
>> user1
>> user2
>>
>> ON Domain Member:
>>
>> # id user1
>>
>> uid=10065(user1) gid=10036(domain users) Gruppen=10036(domain
>> users),3001(BUILTIN\users)
>>
>> # id user2
>>
>> uid=20578(user2) gid=10036(domain users) Gruppen=10036(domain
>> users),*10153(**restrictaccess**)*,3001(BUILTIN\users)
>>
>> smb.conf on Domain Member:
>>
>> [global]
>> security = ads
>> realm = rootrudi.de
>> workgroup = ROOTRUDI
>> idmap config *: backend = tdb
>> idmap config *: range = 3000-7999
>> idmap config rootrudi:backend = ad
>> idmap config rootrudi:range = 10000-999999
>> idmap config rootrudi:schema_mode = rfc2307
>> idmap config rootrudi:unix_nss_info = no
>> template shell = /bin/bash
>> template homedir = /home/%U
>> domain master = No
>> local master = No
>> preferred master = No
>> os level = 0
>> restrict anonymous = 2
>> winbind cache time = 10
>> winbind enum groups = Yes
>> winbind enum users = Yes
>> winbind use default domain = Yes
>> map acl inherit = Yes
>> store dos attributes = Yes
>> vfs objects = acl_xattr
>>
>> What happened?
>>
> Nothing, it is just that the user will not be logged in, this is from a
> unix domain member that the user 'emily' isn't logged into:
>
> id emily
> uid=10001(emily) gid=10000(domain users) groups=10000(domain users),2001(BUILTIN\users)
>
> And from one where she is:
>
> id emily
> uid=10001(emily) gid=10000(domain_users) groups=10000(domain_users),10002(unixgroup),10010(group12),2001(BUILTIN\users)
>
> Rowland
>
>
More information about the samba
mailing list