[Samba] Debian client/workstation pam_mount

Robert Wooden wdn2420systm at gmail.com
Sun Sep 27 11:57:46 UTC 2020 

The sshgroup exists on the client/workstation:

> root at lws4:~# cat /etc/groups
>
.....................
>
 sshgroup:x:998:adminlinux
>
.....................
>

But, on my member server that acts as a fileserver for domain users
(redirected) files there is no "sshgroup" at this time.

The AD has server-ssh group:

> root at dc1:~# samba-tool group listmembers server-ssh
> tuser17
> tuser16
>

 I went back and found Louis' email where he explained these two groups.
Here is part of that email:

> Created "server-ssh" group in AD and gave it a GID.
> Add the needed windows users that are allowed to ssh in the server,
> only windows users in this one.
>
> Create group "sshgroup" on member server (in Debian?)     <<<<<< maybe
> Louis meant member fileserver and not client/workstation and I
> misunderstood?
> yes, add the admin users for the system ( ONLY linux users here)
>

First, let me clarify, I am not saying Louis is incorrect here but rather i
think I misunderstood.

For me this 'client/workstation/member server' computers (generic machines
names) names get merged together and *create confusion*.

Here is where I think (IMHO) the Linux (Debian, in my case)
client/workstations (C/W) are a different type of machine on the network
and yet carry many of the same characteristics of all member servers
(fileserver) just without any local (on the client/workstations) shares.
Maybe these machines should be called "client/workstation members" and
member fileserver should be referred to as "member file servers" serving
files to domain users logging into to a "client/workstation members"
weather it be a Linux based C/W or a W10 based C/W? And not "lump" all
member server (file servers) and linux based member servers (who are
actually a client/workstation) together as all member servers?

Like so:
W10 client/workstation or W10 C/W for short.
Linux client/workstation or Linux C/W for short.
Domain Controller is a DC (of course).
Domain member server is a member file server for the domain C/W's domain
users are logging into.

Is the "sshgroup" to be created on the member server (fileserver) that is
the file server for the W10/Debian client/workstations (C/W) domain users?
Or, on both the fileserver and the Debian client/workstations (C/W)? Or,
only on the client/workstations (C/W)?

Your suggesting that 'tuser16' needs to be a member of 'sshgroup' and I do
not understand how to make a domain user (tuser16) a member of a linux
group on a member server or a client/workstation?

Perhaps you see now why I may have confused what users get what group on
what domain computer?

On Sat, Sep 26, 2020 at 10:34 AM Rowland penny <rpenny at samba.org> wrote:

> On 26/09/2020 16:23, Robert Wooden wrote:
> > Okay, now so I don't get confused.
> > Yes, /home/WKDOM/tuser16 does exist on the client/workstation.
> >
> >     root at lws4:~# getent group
> >     root:x:0:
> >     /..snipped for brevity../
> >
> >     winbindd_priv:x:129:
> >     sshgroup:x:998:adminlinux
> >     postfix:x:130:
> >
> >     ..snipped for brevity..
> >
> >
> > There is no servers-ssh group on the C/W. (I have a server-ssh group
> > somewhere per Louis' instructions, just not on a C/W.) Should there be
> > a servers-ssh group on a C/W?
> >
> > And notice that tuser16 is not a member of "sshgroup".
>
> Then that is likely to be your problem, you posted your sshd config and
> it had this line:
>
> AllowGroups servers-ssh sshgroup
>
> So, if 'servers-ssh' doesn't exist and tuser16 isn't a member of
> 'sshgroup', then 'tuser16' will never log in, either add 'tuser16' to
> the 'sshgroup' or remove that line from your sshd conf or use a user
> that is a member of 'sshgroup'.
>
> Rowland
>
>
>

More information about the samba mailing list