[Samba] Group membership not updating on one DC only

L.P.H. van Belle belle at bazuin.nl
Tue Mar 9 14:04:04 UTC 2021 

Strange, i use all you describe below and all work on my member server. 
Do all groups your using have a GID assigned? 
And added to this i also use automounted homedirs.. 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Matthias Kühne |
> Ellerhold AG via samba
> Verzonden: dinsdag 9 maart 2021 14:13
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Group membership not updating on one DC only
> 
> Heyho,
> 
> we've done some more tests (debian buster and samba 4.13.4).
i use also 4.13.4 ( 4.13.5 is building currently ) 
> 
> Restricting SSH-access via the sshd_config to a certain group does not
> work. SSH tests group membership BEFORE winbind can update the groups.
> And if SSHd has denied you, winbind wont update the groups you're in.
> 
> 
> Scenario A: User get this group and tries to connect. SSHd tests the
> groups of the user, determines that the user is not part of the group
> and denys him (seen in auth.log). It still asks for your password but
> this wont do anything. You're not in the group -> denied forever.
> 
> Scenario B: User is in the group gets expelled. He tries to connect and
> SSHd allows it (because the user is in the group). After the successfull
> auth with PW winbind updates the group and the next SSH connection would
> fail.
> 
> Scenario C: User uses public-key auth. Winbind never updates the groups
> and the user can login forever (if he/she was in the group) or never (if
> he/she weren't).
> 
> 
> We got it working though!
> 
> 1. Disable Public-Key Auth for samba-users.
Where my customers doe use with public-keys for auth. ( and yes, these are samba users. 

> 
> 2. Remove AllowUsers & AllowGroups from the sshd_config
I only use AllowsGroups here, i have 2 groups, one linux group, for linux users and a windows group which have the samba users. 

> 
> 3. Edit /etc/pam.d/sshd : uncomment the line with pam_access.so and add
> [accessfile=/etc/security/pam_access_sshd.conf] to the line.

All i did is run : pam-auth-update

> 
> 4. Create /etc/security/pam_access_sshd.conf with this content:
> 
> 4.1. For every "allowed SSH group" add "+:DOMAIN\my-ssh-group:ALL"
> 
> 4.2. Add "-:ALL:ALL" at the end to deny everyone else
> 
> 5. Test it.
> 
> 
> This way SSHd does not validate the groups and allows every valid user.
> Winbind updates the group membership and after that pam_access denies
> the user if its not in the right group.
> 
> PubKey-Auth still doesnt work though :/
> 
> 
> This should work for Debian and any other system with PAM. IDK if any
> other distro has a similar system with which you could achieve the same
> thing.
> 
> 
> Am 24.02.21 um 22:42 schrieb Rowland penny via samba:
> > On 24/02/2021 21:20, Christian via samba wrote:
> >>
> >>> Why do you need to know what groups a user is a member of ?
> >> Match group admin-group
> >>   AllowUsers *
> >> Match group remotessh
> >>   AllowUsers *
> >>
> >> in /etc/ssh/sshd_config comes to mind... Thanks,
> >
> >
> > That is a valid reason, well it would be except for the fact that
> > disabled users can still login via SSH.
> >
> > I wonder if you could use kerberos instead of keys along with the
> > groups ? Never tried it, just thinking out loud.
> >
> > Rowland
> 
> --
> Matthias Kühne
> Senior Webentwickler
> Datenschutzbeauftragter
> 
> Ellerhold Aktiengesellschaft
> Friedrich-List-Str. 4
> 01445 Radebeul
> 
> Telefon: +49 (0) 351 83933-61
> Telefax: +49 (0) 351 83933-99
> 
> Web     www.ellerhold.de
> Twitter www.twitter.com/Ellerhold_AG
> Youtube www.youtube.com/user/ellerholdgruppe
> 
> Amtsgericht Dresden / HRB 23769
> Vorstand: Stephan Ellerhold, Maximilian Ellerhold
> Vorsitzender des Aufsichtsrates: Frank Ellerhold
> 
> 
> 
> 
> 
> ----------------
> Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten
> Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung
> und um sofortiges löschen dieser E-Mail und der Anlagen.
> 
> Unsere Hinweise zum Datenschutz finden Sie hier:
> http://www.ellerhold.de/datenschutz/
> 
> This e-mail and its attachments are privileged and confidential. If you
> are not the intended recipient, please notify us and immediately delete
> this e-mail and its attachments.
> 
> You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list