[Samba] Group membership not updating on one DC only

Matthias Kühne | Ellerhold AG matthias.kuehne at ellerhold.de
Tue Mar 9 13:13:08 UTC 2021


we've done some more tests (debian buster and samba 4.13.4).

Restricting SSH-access via the sshd_config to a certain group does not 
work. SSH tests group membership BEFORE winbind can update the groups. 
And if SSHd has denied you, winbind wont update the groups you're in.

Scenario A: User get this group and tries to connect. SSHd tests the 
groups of the user, determines that the user is not part of the group 
and denys him (seen in auth.log). It still asks for your password but 
this wont do anything. You're not in the group -> denied forever.

Scenario B: User is in the group gets expelled. He tries to connect and 
SSHd allows it (because the user is in the group). After the successfull 
auth with PW winbind updates the group and the next SSH connection would 

Scenario C: User uses public-key auth. Winbind never updates the groups 
and the user can login forever (if he/she was in the group) or never (if 
he/she weren't).

We got it working though!

1. Disable Public-Key Auth for samba-users.

2. Remove AllowUsers & AllowGroups from the sshd_config

3. Edit /etc/pam.d/sshd : uncomment the line with pam_access.so and add 
[accessfile=/etc/security/pam_access_sshd.conf] to the line.

4. Create /etc/security/pam_access_sshd.conf with this content:

4.1. For every "allowed SSH group" add "+:DOMAIN\my-ssh-group:ALL"

4.2. Add "-:ALL:ALL" at the end to deny everyone else

5. Test it.

This way SSHd does not validate the groups and allows every valid user. 
Winbind updates the group membership and after that pam_access denies 
the user if its not in the right group.

PubKey-Auth still doesnt work though :/

This should work for Debian and any other system with PAM. IDK if any 
other distro has a similar system with which you could achieve the same 

Am 24.02.21 um 22:42 schrieb Rowland penny via samba:
> On 24/02/2021 21:20, Christian via samba wrote:
>>> Why do you need to know what groups a user is a member of ?
>> Match group admin-group
>>   AllowUsers *
>> Match group remotessh
>>   AllowUsers *
>> in /etc/ssh/sshd_config comes to mind... Thanks,
> That is a valid reason, well it would be except for the fact that 
> disabled users can still login via SSH.
> I wonder if you could use kerberos instead of keys along with the 
> groups ? Never tried it, just thinking out loud.
> Rowland

Matthias Kühne
Senior Webentwickler

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Telefax: +49 (0) 351 83933-99

Web     www.ellerhold.de
Twitter www.twitter.com/Ellerhold_AG
Youtube www.youtube.com/user/ellerholdgruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold

Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.

You can find our privacy policy here: http://www.ellerhold.de/datenschutz/

More information about the samba mailing list