[Samba] Group membership not updating on one DC only
Christian
chanlists at googlemail.com
Sun Apr 4 16:36:42 UTC 2021
Hi Matthias,
thanks for posting this. It worked for me. Just one comment: Debian has
account required pam_access.so
in /etc/pam.d/sshd. Would it not make sense to change that to
auth required pam_access.so nodefgroup
accessfile=/etc/security/pam_access_sshd.conf
The difference being that the user who tries to login with the correct
password but is denied access, because she is not in the correct group,
will get the same result as if the password had been entered incorrectly
or the account did not exist in the first place.
Best wishes,
Christian
On 09.03.2021 14:13, Matthias Kühne | Ellerhold AG via samba wrote:
> Heyho,
>
> we've done some more tests (debian buster and samba 4.13.4).
>
> Restricting SSH-access via the sshd_config to a certain group does not
> work. SSH tests group membership BEFORE winbind can update the groups.
> And if SSHd has denied you, winbind wont update the groups you're in.
>
>
> Scenario A: User get this group and tries to connect. SSHd tests the
> groups of the user, determines that the user is not part of the group
> and denys him (seen in auth.log). It still asks for your password but
> this wont do anything. You're not in the group -> denied forever.
>
> Scenario B: User is in the group gets expelled. He tries to connect and
> SSHd allows it (because the user is in the group). After the successfull
> auth with PW winbind updates the group and the next SSH connection would
> fail.
>
> Scenario C: User uses public-key auth. Winbind never updates the groups
> and the user can login forever (if he/she was in the group) or never (if
> he/she weren't).
>
>
> We got it working though!
>
> 1. Disable Public-Key Auth for samba-users.
>
> 2. Remove AllowUsers & AllowGroups from the sshd_config
>
> 3. Edit /etc/pam.d/sshd : uncomment the line with pam_access.so and add
> [accessfile=/etc/security/pam_access_sshd.conf] to the line.
>
> 4. Create /etc/security/pam_access_sshd.conf with this content:
>
> 4.1. For every "allowed SSH group" add "+:DOMAIN\my-ssh-group:ALL"
>
> 4.2. Add "-:ALL:ALL" at the end to deny everyone else
>
> 5. Test it.
>
>
> This way SSHd does not validate the groups and allows every valid user.
> Winbind updates the group membership and after that pam_access denies
> the user if its not in the right group.
>
> PubKey-Auth still doesnt work though :/
>
>
> This should work for Debian and any other system with PAM. IDK if any
> other distro has a similar system with which you could achieve the same
> thing.
>
>
> Am 24.02.21 um 22:42 schrieb Rowland penny via samba:
>> On 24/02/2021 21:20, Christian via samba wrote:
>>>> Why do you need to know what groups a user is a member of ?
>>> Match group admin-group
>>> AllowUsers *
>>> Match group remotessh
>>> AllowUsers *
>>>
>>> in /etc/ssh/sshd_config comes to mind... Thanks,
>>
>> That is a valid reason, well it would be except for the fact that
>> disabled users can still login via SSH.
>>
>> I wonder if you could use kerberos instead of keys along with the
>> groups ? Never tried it, just thinking out loud.
>>
>> Rowland
More information about the samba
mailing list