[Samba] Group membership not updating on one DC only

Matthias Kühne | Ellerhold AG matthias.kuehne at ellerhold.de
Tue Mar 9 14:17:51 UTC 2021 

Heyho,

yes all users have uidNumbers and all groups have gidNumbers (thanks to 
adman for that!!)

I could reliably reproduce each of the 3 scenarios below. Thats why 
we're using pam_access now.

Are you using debian buster too? With openssh-server version 
1:7.9p1-10+deb10u2? For reference this is our (now basic) sshd_conf:

PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
AllowAgentForwarding yes
X11Forwarding no
PrintMotd no
AcceptEnv LANG LC_*
Subsystem    sftp    /usr/lib/openssh/sftp-server

Anything you've got different in yours?

Overall we're pretty happy with pam_access. Just wanted to share our 
solution to our problem for others that might have the same problem(s).

Bye, Matthias Kühne.

Am 09.03.21 um 15:04 schrieb L.P.H. van Belle via samba:
> Strange, i use all you describe below and all work on my member server.
> Do all groups your using have a GID assigned?
> And added to this i also use automounted homedirs..
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Matthias Kühne |
>> Ellerhold AG via samba
>> Verzonden: dinsdag 9 maart 2021 14:13
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Group membership not updating on one DC only
>>
>> Heyho,
>>
>> we've done some more tests (debian buster and samba 4.13.4).
> i use also 4.13.4 ( 4.13.5 is building currently )
>> Restricting SSH-access via the sshd_config to a certain group does not
>> work. SSH tests group membership BEFORE winbind can update the groups.
>> And if SSHd has denied you, winbind wont update the groups you're in.
>>
>>
>> Scenario A: User get this group and tries to connect. SSHd tests the
>> groups of the user, determines that the user is not part of the group
>> and denys him (seen in auth.log). It still asks for your password but
>> this wont do anything. You're not in the group -> denied forever.
>>
>> Scenario B: User is in the group gets expelled. He tries to connect and
>> SSHd allows it (because the user is in the group). After the successfull
>> auth with PW winbind updates the group and the next SSH connection would
>> fail.
>>
>> Scenario C: User uses public-key auth. Winbind never updates the groups
>> and the user can login forever (if he/she was in the group) or never (if
>> he/she weren't).
>>
>>
>> We got it working though!
>>
>> 1. Disable Public-Key Auth for samba-users.
> Where my customers doe use with public-keys for auth. ( and yes, these are samba users.
>
>> 2. Remove AllowUsers & AllowGroups from the sshd_config
> I only use AllowsGroups here, i have 2 groups, one linux group, for linux users and a windows group which have the samba users.
>
>> 3. Edit /etc/pam.d/sshd : uncomment the line with pam_access.so and add
>> [accessfile=/etc/security/pam_access_sshd.conf] to the line.
> All i did is run : pam-auth-update
>
>> 4. Create /etc/security/pam_access_sshd.conf with this content:
>>
>> 4.1. For every "allowed SSH group" add "+:DOMAIN\my-ssh-group:ALL"
>>
>> 4.2. Add "-:ALL:ALL" at the end to deny everyone else
>>
>> 5. Test it.
>>
>>
>> This way SSHd does not validate the groups and allows every valid user.
>> Winbind updates the group membership and after that pam_access denies
>> the user if its not in the right group.
>>
>> PubKey-Auth still doesnt work though :/
>>
>>
>> This should work for Debian and any other system with PAM. IDK if any
>> other distro has a similar system with which you could achieve the same
>> thing.
>>
>>
>> Am 24.02.21 um 22:42 schrieb Rowland penny via samba:
>>> On 24/02/2021 21:20, Christian via samba wrote:
>>>>> Why do you need to know what groups a user is a member of ?
>>>> Match group admin-group
>>>>    AllowUsers *
>>>> Match group remotessh
>>>>    AllowUsers *
>>>>
>>>> in /etc/ssh/sshd_config comes to mind... Thanks,
>>>
>>> That is a valid reason, well it would be except for the fact that
>>> disabled users can still login via SSH.
>>>
>>> I wonder if you could use kerberos instead of keys along with the
>>> groups ? Never tried it, just thinking out loud.
>>>
>>> Rowland
>> --
>> Matthias Kühne
>> Senior Webentwickler
>> Datenschutzbeauftragter
>>
>> Ellerhold Aktiengesellschaft
>> Friedrich-List-Str. 4
>> 01445 Radebeul
>>
>> Telefon: +49 (0) 351 83933-61
>> Telefax: +49 (0) 351 83933-99
>>
>> Web     www.ellerhold.de
>> Twitter www.twitter.com/Ellerhold_AG
>> Youtube www.youtube.com/user/ellerholdgruppe
>>
>> Amtsgericht Dresden / HRB 23769
>> Vorstand: Stephan Ellerhold, Maximilian Ellerhold
>> Vorsitzender des Aufsichtsrates: Frank Ellerhold
>>
>>
>>
>>
>>
>> ----------------
>> Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten
>> Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung
>> und um sofortiges löschen dieser E-Mail und der Anlagen.
>>
>> Unsere Hinweise zum Datenschutz finden Sie hier:
>> http://www.ellerhold.de/datenschutz/
>>
>> This e-mail and its attachments are privileged and confidential. If you
>> are not the intended recipient, please notify us and immediately delete
>> this e-mail and its attachments.
>>
>> You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
-- 
Matthias Kühne
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Telefax: +49 (0) 351 83933-99

Web     www.ellerhold.de
Twitter www.twitter.com/Ellerhold_AG
Youtube www.youtube.com/user/ellerholdgruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold




 
----------------
Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.

You can find our privacy policy here: http://www.ellerhold.de/datenschutz/

More information about the samba mailing list