[Samba] Debian client/workstation pam_mount

Robert Wooden wdn2420systm at gmail.com
Mon Sep 28 21:37:10 UTC 2020 

Louis,
You said:

> For all my member servers *apply the following*.
>
This line :
> > > AllowGroups servers-ssh sshgroup
>

"apply the following" where????

There are 2, linux only Admin accounts, ( local accounts )
>    And, only if these are member of the "local group" sshgroup
>    then your allowed to login.
>

Not sure I understand here. I have a linux admin user named "adminlinux"
(You do linuxadmin, I think) and of course 'root'. (I do not use root for
any thing connected with AD.) What two (2) "linux only" admin accounts are
you talking about??


> Only users that are allowed to login with ssh on these servers
>    and are member of the "servers-ssh" group.
>    Both user and group MUST have UID/GID.
>
All domain/users are members of "server-ssh" group have UID and GID.

I have a Debian domain member (computer) that can log as an AD member like
the W10 domain member. These logins via domain users accounts (SAMDOM\user
for example.)

This is or can be a problem.
> sshgroup:x:998:adminlinux
>

The only linux user I have on any linux domain member (computer) is
"adminlinux" that is basically only used when I ssh in for maintenance.

And, kerberos sets :
>
> password        [success=3 default=ignore]      pam_krb5.so
> minimum_uid=1000            <<< NOTE !!!!
> password        [success=2 default=ignore]      pam_unix.so obscure
> use_authtok try_first_pass sha512
> password        [success=1 default=ignore]      pam_winbind.so try_authtok
> try_first_pass
>
> So only minimal UID 1000 is allowed to use kerberos auth.
>

This does not look like the content in /etc/krb5.conf? Looks more like a
pam_mount config file?
So, I am not sure what your thinking process was nor what I should do?

On Mon, Sep 28, 2020 at 4:01 AM L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:

> The "short" version on why multiple groups here.
>
> For all my member servers apply the following.
> This line :
> > > AllowGroups servers-ssh sshgroup
>
> There are 2, linux only Admin accounts, ( local accounts )
>    And, only if these are member of the "local group" sshgroup
>    then your allowed to login.
>
> Only users that are allowed to login with ssh on these servers
>    and are member of the "servers-ssh" group.
>    Both user and group MUST have UID/GID.
>    In my setup its not allowed to login as a Windows Admin in linux.
>    Users must use sudo if they are allowed.
>
>
> I only have :
> Domain DC's
> Domain Member's
> Windows Workstations.
> I dont have Linux Workstations. ( but im working on that part )
> And thats also more confusing, but a linux workstion can be treated same
> as a
> Domain Member..
>
> Im assuming you want to login from a Linux Workstations into a Domain
> Member,
> With ssh, then only the Domain Member has the group option.
>
> But this is more how YOU want it.
> If you dont needed groups to control ssh logins from add, then you can
> leave them out.
> Its optional, only i do this so i can secure and controll some parts
> better.
>
> This is or can be a problem.
> sshgroup:x:998:adminlinux
>
> If you install as my howto's show, then root has no password and is not
> allowed to login.
> The first created user is always UID 1000, (minimal)
> The first user also is allowed to use sudo.
>
> And, kerberos sets :
>
> password        [success=3 default=ignore]      pam_krb5.so
> minimum_uid=1000            <<< NOTE !!!!
> password        [success=2 default=ignore]      pam_unix.so obscure
> use_authtok try_first_pass sha512
> password        [success=1 default=ignore]      pam_winbind.so try_authtok
> try_first_pass
>
> So only minimal UID 1000 is allowed to use kerberos auth.
>
>
> I hope aboves helps to fix it..
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Robert Wooden via samba
> > Verzonden: zondag 27 september 2020 13:58
> > Aan: Rowland penny
> > CC: sambalist
> > Onderwerp: Re: [Samba] Debian client/workstation pam_mount
> >
> > The sshgroup exists on the client/workstation:
> >
> > > root at lws4:~# cat /etc/groups
> > >
> > .....................
> > >
> >  sshgroup:x:998:adminlinux
> > >
> > .....................
> > >
> >
> > But, on my member server that acts as a fileserver for domain users
> > (redirected) files there is no "sshgroup" at this time.
> >
> > The AD has server-ssh group:
> >
> > > root at dc1:~# samba-tool group listmembers server-ssh
> > > tuser17
> > > tuser16
> > >
> >
> >  I went back and found Louis' email where he explained these
> > two groups.
> > Here is part of that email:
> >
> > > Created "server-ssh" group in AD and gave it a GID.
> > > Add the needed windows users that are allowed to ssh in the server,
> > > only windows users in this one.
> > >
> > > Create group "sshgroup" on member server (in Debian?)
> > <<<<<< maybe
> > > Louis meant member fileserver and not client/workstation and I
> > > misunderstood?
> > > yes, add the admin users for the system ( ONLY linux users here)
> > >
> >
> > First, let me clarify, I am not saying Louis is incorrect
> > here but rather i
> > think I misunderstood.
> >
> > For me this 'client/workstation/member server' computers
> > (generic machines
> > names) names get merged together and *create confusion*.
> >
> > Here is where I think (IMHO) the Linux (Debian, in my case)
> > client/workstations (C/W) are a different type of machine on
> > the network
> > and yet carry many of the same characteristics of all member servers
> > (fileserver) just without any local (on the
> > client/workstations) shares.
> > Maybe these machines should be called "client/workstation members" and
> > member fileserver should be referred to as "member file
> > servers" serving
> > files to domain users logging into to a "client/workstation members"
> > weather it be a Linux based C/W or a W10 based C/W? And not "lump" all
> > member server (file servers) and linux based member servers (who are
> > actually a client/workstation) together as all member servers?
> >
> > Like so:
> > W10 client/workstation or W10 C/W for short.
> > Linux client/workstation or Linux C/W for short.
> > Domain Controller is a DC (of course).
> > Domain member server is a member file server for the domain
> > C/W's domain
> > users are logging into.
> >
> > Is the "sshgroup" to be created on the member server
> > (fileserver) that is
> > the file server for the W10/Debian client/workstations (C/W)
> > domain users?
> > Or, on both the fileserver and the Debian client/workstations
> > (C/W)? Or,
> > only on the client/workstations (C/W)?
> >
> > Your suggesting that 'tuser16' needs to be a member of
> > 'sshgroup' and I do
> > not understand how to make a domain user (tuser16) a member of a linux
> > group on a member server or a client/workstation?
> >
> > Perhaps you see now why I may have confused what users get
> > what group on
> > what domain computer?
> >
> > On Sat, Sep 26, 2020 at 10:34 AM Rowland penny
> > <rpenny at samba.org> wrote:
> >
> > > On 26/09/2020 16:23, Robert Wooden wrote:
> > > > Okay, now so I don't get confused.
> > > > Yes, /home/WKDOM/tuser16 does exist on the client/workstation.
> > > >
> > > >     root at lws4:~# getent group
> > > >     root:x:0:
> > > >     /..snipped for brevity../
> > > >
> > > >     winbindd_priv:x:129:
> > > >     sshgroup:x:998:adminlinux
> > > >     postfix:x:130:
> > > >
> > > >     ..snipped for brevity..
> > > >
> > > >
> > > > There is no servers-ssh group on the C/W. (I have a
> > server-ssh group
> > > > somewhere per Louis' instructions, just not on a C/W.)
> > Should there be
> > > > a servers-ssh group on a C/W?
> > > >
> > > > And notice that tuser16 is not a member of "sshgroup".
> > >
> > > Then that is likely to be your problem, you posted your
> > sshd config and
> > > it had this line:
> > >
> > > AllowGroups servers-ssh sshgroup
> > >
> > > So, if 'servers-ssh' doesn't exist and tuser16 isn't a member of
> > > 'sshgroup', then 'tuser16' will never log in, either add
> > 'tuser16' to
> > > the 'sshgroup' or remove that line from your sshd conf or use a user
> > > that is a member of 'sshgroup'.
> > >
> > > Rowland
> > >
> > >
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list