The "short" version on why multiple groups here.
For all my member servers apply the following.
This line : > > AllowGroups servers-ssh sshgroup
There are 2, linux only Admin accounts, ( local accounts )
And, only if these are member of the "local group" sshgroup
then your allowed to login.
Only users that are allowed to login with ssh on these servers
and are member of the "servers-ssh" group.
Both user and group MUST have UID/GID.
In my setup its not allowed to login as a Windows Admin in linux.
Users must use sudo if they are allowed.
I only have :
Domain DC's
Domain Member's
Windows Workstations.
I dont have Linux Workstations. ( but im working on that part )
And thats also more confusing, but a linux workstion can be treated same as a
Domain Member..
Im assuming you want to login from a Linux Workstations into a Domain Member,
With ssh, then only the Domain Member has the group option.
But this is more how YOU want it.
If you dont needed groups to control ssh logins from add, then you can leave
them out.
Its optional, only i do this so i can secure and controll some parts better.
This is or can be a problem.
sshgroup:x:998:adminlinux
If you install as my howto's show, then root has no password and is not
allowed to login.
The first created user is always UID 1000, (minimal)
The first user also is allowed to use sudo.
And, kerberos sets :
password [success=3 default=ignore] pam_krb5.so minimum_uid=1000
<<< NOTE !!!!
password [success=2 default=ignore] pam_unix.so obscure use_authtok
try_first_pass sha512
password [success=1 default=ignore] pam_winbind.so try_authtok
try_first_pass
So only minimal UID 1000 is allowed to use kerberos auth.
I hope aboves helps to fix it..
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Robert Wooden via samba
> Verzonden: zondag 27 september 2020 13:58
> Aan: Rowland penny
> CC: sambalist
> Onderwerp: Re: [Samba] Debian client/workstation pam_mount
>
> The sshgroup exists on the client/workstation:
>
> > root at lws4:~# cat /etc/groups
> >
> .....................
> >
> sshgroup:x:998:adminlinux
> >
> .....................
> >
>
> But, on my member server that acts as a fileserver for domain users
> (redirected) files there is no "sshgroup" at this time.
>
> The AD has server-ssh group:
>
> > root at dc1:~# samba-tool group listmembers server-ssh
> > tuser17
> > tuser16
> >
>
> I went back and found Louis' email where he explained these
> two groups.
> Here is part of that email:
>
> > Created "server-ssh" group in AD and gave it a GID.
> > Add the needed windows users that are allowed to ssh in the server,
> > only windows users in this one.
> >
> > Create group "sshgroup" on member server (in Debian?)
> <<<<<< maybe
> > Louis meant member fileserver and not client/workstation and I
> > misunderstood?
> > yes, add the admin users for the system ( ONLY linux users here)
> >
>
> First, let me clarify, I am not saying Louis is incorrect
> here but rather i
> think I misunderstood.
>
> For me this 'client/workstation/member server' computers
> (generic machines
> names) names get merged together and *create confusion*.
>
> Here is where I think (IMHO) the Linux (Debian, in my case)
> client/workstations (C/W) are a different type of machine on
> the network
> and yet carry many of the same characteristics of all member servers
> (fileserver) just without any local (on the
> client/workstations) shares.
> Maybe these machines should be called "client/workstation
members" and
> member fileserver should be referred to as "member file
> servers" serving
> files to domain users logging into to a "client/workstation
members"
> weather it be a Linux based C/W or a W10 based C/W? And not
"lump" all
> member server (file servers) and linux based member servers (who are
> actually a client/workstation) together as all member servers?
>
> Like so:
> W10 client/workstation or W10 C/W for short.
> Linux client/workstation or Linux C/W for short.
> Domain Controller is a DC (of course).
> Domain member server is a member file server for the domain
> C/W's domain
> users are logging into.
>
> Is the "sshgroup" to be created on the member server
> (fileserver) that is
> the file server for the W10/Debian client/workstations (C/W)
> domain users?
> Or, on both the fileserver and the Debian client/workstations
> (C/W)? Or,
> only on the client/workstations (C/W)?
>
> Your suggesting that 'tuser16' needs to be a member of
> 'sshgroup' and I do
> not understand how to make a domain user (tuser16) a member of a linux
> group on a member server or a client/workstation?
>
> Perhaps you see now why I may have confused what users get
> what group on
> what domain computer?
>
> On Sat, Sep 26, 2020 at 10:34 AM Rowland penny
> <rpenny at samba.org> wrote:
>
> > On 26/09/2020 16:23, Robert Wooden wrote:
> > > Okay, now so I don't get confused.
> > > Yes, /home/WKDOM/tuser16 does exist on the client/workstation.
> > >
> > > root at lws4:~# getent group
> > > root:x:0:
> > > /..snipped for brevity../
> > >
> > > winbindd_priv:x:129:
> > > sshgroup:x:998:adminlinux
> > > postfix:x:130:
> > >
> > > ..snipped for brevity..
> > >
> > >
> > > There is no servers-ssh group on the C/W. (I have a
> server-ssh group
> > > somewhere per Louis' instructions, just not on a C/W.)
> Should there be
> > > a servers-ssh group on a C/W?
> > >
> > > And notice that tuser16 is not a member of "sshgroup".
> >
> > Then that is likely to be your problem, you posted your
> sshd config and
> > it had this line:
> >
> > AllowGroups servers-ssh sshgroup
> >
> > So, if 'servers-ssh' doesn't exist and tuser16 isn't a
member of
> > 'sshgroup', then 'tuser16' will never log in, either
add
> 'tuser16' to
> > the 'sshgroup' or remove that line from your sshd conf or use
a user
> > that is a member of 'sshgroup'.
> >
> > Rowland
> >
> >
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>