Hello, my enviroment: All Servers are Ubuntun 16.04-18.04 SAMBA AD DC Server and several SAMABA DOMAIN MEMBER (connected via WINBIND). In ADDC I've created a group "restrictaccess" and added some users. Now when im typing "id <username>" on a Domain Member, for some users the group "restrictaccess" are listed for some not! For example: ON DC: # samba-tool group listmembers restrictaccess user1 user2 ON Domain Member: # id user1 uid=10065(user1) gid=10036(domain users) Gruppen=10036(domain users),3001(BUILTIN\users) # id user2 uid=20578(user2) gid=10036(domain users) Gruppen=10036(domain users),*10153(**restrictaccess**)*,3001(BUILTIN\users) smb.conf on Domain Member: [global] security = ads realm = rootrudi.de workgroup = ROOTRUDI idmap config *: backend = tdb idmap config *: range = 3000-7999 idmap config rootrudi:backend = ad idmap config rootrudi:range = 10000-999999 idmap config rootrudi:schema_mode = rfc2307 idmap config rootrudi:unix_nss_info = no template shell = /bin/bash template homedir = /home/%U domain master = No local master = No preferred master = No os level = 0 restrict anonymous = 2 winbind cache time = 10 winbind enum groups = Yes winbind enum users = Yes winbind use default domain = Yes map acl inherit = Yes store dos attributes = Yes vfs objects = acl_xattr What happened? Best regards Micha
On Tue, 7 Aug 2018 12:20:04 +0200 Micha Ballmann via samba <samba at lists.samba.org> wrote:> Hello, > > my enviroment: > > All Servers are Ubuntun 16.04-18.04 > > SAMBA AD DC Server and several SAMABA DOMAIN MEMBER (connected via > WINBIND). In ADDC I've created a group "restrictaccess" and added > some users. > > Now when im typing "id <username>" on a Domain Member, for some users > the group "restrictaccess" are listed for some not! > > For example: > > ON DC: > > # samba-tool group listmembers restrictaccess > > user1 > user2 > > ON Domain Member: > > # id user1 > > uid=10065(user1) gid=10036(domain users) Gruppen=10036(domain > users),3001(BUILTIN\users) > > # id user2 > > uid=20578(user2) gid=10036(domain users) Gruppen=10036(domain > users),*10153(**restrictaccess**)*,3001(BUILTIN\users) > > smb.conf on Domain Member: > > [global] > security = ads > realm = rootrudi.de > workgroup = ROOTRUDI > idmap config *: backend = tdb > idmap config *: range = 3000-7999 > idmap config rootrudi:backend = ad > idmap config rootrudi:range = 10000-999999 > idmap config rootrudi:schema_mode = rfc2307 > idmap config rootrudi:unix_nss_info = no > template shell = /bin/bash > template homedir = /home/%U > domain master = No > local master = No > preferred master = No > os level = 0 > restrict anonymous = 2 > winbind cache time = 10 > winbind enum groups = Yes > winbind enum users = Yes > winbind use default domain = Yes > map acl inherit = Yes > store dos attributes = Yes > vfs objects = acl_xattr > > What happened? >Nothing, it is just that the user will not be logged in, this is from a unix domain member that the user 'emily' isn't logged into: id emily uid=10001(emily) gid=10000(domain users) groups=10000(domain users),2001(BUILTIN\users) And from one where she is: id emily uid=10001(emily) gid=10000(domain_users) groups=10000(domain_users),10002(unixgroup),10010(group12),2001(BUILTIN\users) Rowland
Thank for your answer: But i dont know understand why is following not working: I want to restrict the ssh access for a special domain member: In my "sshd_config" i added: AllowGroups restrictaccess root With user2 im able to login via ssh! log: pam_krb5(sshd:auth): user user2 authenticated as user2 at ROOTRUDI.DE With user1 im not! log: User user1 from 192.168.0.100 not allowed because none of user's groups are listed in AllowGroups. Have a look to my email previously "id user2" shows the group "restrictaccess " and "id user1" doesn't show. And i guess thats the reason why user2 is able to login and user1 not? Thanks Micha Am 07.08.2018 um 12:41 schrieb Rowland Penny via samba:> On Tue, 7 Aug 2018 12:20:04 +0200 > Micha Ballmann via samba <samba at lists.samba.org> wrote: > >> Hello, >> >> my enviroment: >> >> All Servers are Ubuntun 16.04-18.04 >> >> SAMBA AD DC Server and several SAMABA DOMAIN MEMBER (connected via >> WINBIND). In ADDC I've created a group "restrictaccess" and added >> some users. >> >> Now when im typing "id <username>" on a Domain Member, for some users >> the group "restrictaccess" are listed for some not! >> >> For example: >> >> ON DC: >> >> # samba-tool group listmembers restrictaccess >> >> user1 >> user2 >> >> ON Domain Member: >> >> # id user1 >> >> uid=10065(user1) gid=10036(domain users) Gruppen=10036(domain >> users),3001(BUILTIN\users) >> >> # id user2 >> >> uid=20578(user2) gid=10036(domain users) Gruppen=10036(domain >> users),*10153(**restrictaccess**)*,3001(BUILTIN\users) >> >> smb.conf on Domain Member: >> >> [global] >> security = ads >> realm = rootrudi.de >> workgroup = ROOTRUDI >> idmap config *: backend = tdb >> idmap config *: range = 3000-7999 >> idmap config rootrudi:backend = ad >> idmap config rootrudi:range = 10000-999999 >> idmap config rootrudi:schema_mode = rfc2307 >> idmap config rootrudi:unix_nss_info = no >> template shell = /bin/bash >> template homedir = /home/%U >> domain master = No >> local master = No >> preferred master = No >> os level = 0 >> restrict anonymous = 2 >> winbind cache time = 10 >> winbind enum groups = Yes >> winbind enum users = Yes >> winbind use default domain = Yes >> map acl inherit = Yes >> store dos attributes = Yes >> vfs objects = acl_xattr >> >> What happened? >> > Nothing, it is just that the user will not be logged in, this is from a > unix domain member that the user 'emily' isn't logged into: > > id emily > uid=10001(emily) gid=10000(domain users) groups=10000(domain users),2001(BUILTIN\users) > > And from one where she is: > > id emily > uid=10001(emily) gid=10000(domain_users) groups=10000(domain_users),10002(unixgroup),10010(group12),2001(BUILTIN\users) > > Rowland > >