[Samba] Group membership not updating on one DC only

L.P.H. van Belle belle at bazuin.nl
Tue Mar 9 14:32:30 UTC 2021

ah, now i see, i forgot one user which is using keys, needed that last line. 
its running some time already this, totaly forgot abou that one.
the config. 

Port 22
PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys .ssh/authorized_keys2
ChallengeResponseAuthentication no

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes

UsePAM yes

AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
PrintLastLog yes
UseDNS no

Banner /etc/issue.net
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server

AllowGroups sftpCustomers sshLevel1 sshLevel2
Match User customerxxxx
    AuthenticationMethods publickey,password

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Matthias Kühne |
> Ellerhold AG via samba
> Verzonden: dinsdag 9 maart 2021 15:18
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Group membership not updating on one DC only
> Heyho,
> yes all users have uidNumbers and all groups have gidNumbers (thanks to
> adman for that!!)
> I could reliably reproduce each of the 3 scenarios below. Thats why
> we're using pam_access now.
> Are you using debian buster too? With openssh-server version
> 1:7.9p1-10+deb10u2? For reference this is our (now basic) sshd_conf:
> PermitRootLogin no
> PubkeyAuthentication yes
> PasswordAuthentication yes
> PermitEmptyPasswords no
> ChallengeResponseAuthentication no
> UsePAM yes
> AllowAgentForwarding yes
> X11Forwarding no
> PrintMotd no
> AcceptEnv LANG LC_*
> Subsystem    sftp    /usr/lib/openssh/sftp-server
> Anything you've got different in yours?
> Overall we're pretty happy with pam_access. Just wanted to share our
> solution to our problem for others that might have the same problem(s).

Offcourse, sharing is caring :-) 
always apreciated to see working config passing buy. 



More information about the samba mailing list