I'm currently running it on a test server (before I roll it out to our 6 live Linux box's) And its starting to drag on and drive me mad. O/S: RedHat 7.1 Samba: 2.2.3a Ive got the whole system working nearly perfectly, as samba uses the 'MMGROUP+Domain Users' as the primary group, I wanted to restrict who can use SSH and samba on the workstations. So I created a specific group on the NT PDC called 'MMGROUP+Winbind' and In there placed 5 users. This generally works fine, by specifying in the /etc/ssh/sshd_config: AllowGroups MMGROUP+Winbind And also in the smb.conf file I've added: valid users = @MMGROUP+Winbind. I can allow access to who I require, just by adding them to the main group on the PDC. Now heres the wacky bit... It works fine for a few days, even weeks, then all of a sudden some users cannot login via ssh (but they can still browse the samba share) These users settings have not changed on the PDC at all, their passwd's and username have all stayed the same. There is nothing different or weird about their accounts either. Even removing them from the group, restarting samba and ssh and putting them back in doesn't cure the problem. In /var/log/secure I get the same error's for all the users that cannot log in (its not the same every time, the users can vary): sshd[15164]: User MMGROUP+mark not allowed because none of user's groups are listed in AllowGroups sshd[15164]: Failed password for illegal user MMGROUP+mark from 192.168.1.231 port 1055 As you can see the section that says 'none of user's groups are listed in AllowGroups' yet the users are in the MMGROUP+Winbind, as running 'getent group' reviels this & verifying this also on the NT PDC. If I comment out the Allowgroups from the sshd_config file they can log in perfectly ok. To be honest it looked like a ssh problem at first, but thinking about it (and I may be wrong) It looks like Winbind it not giving ssh back the correct users from that group. I have tried different versions of ssh and samba and this is still hte same error, as I mentioned earlier, for a while it works, so its very intermittent, but one I get the errors listed above, thats it, it just refuses to let those users login. I did cure it once, by removing the affected users from the MMGROUP+Winbind, then put them back in, but even that doesn't work anymore for people. The PDC and Winbind are talking to each other ok, as If I add or remove users, it shows up on Winbind in about 10 seconds and again they work fine (unless I add the AllowGoups to ssh, which goes ga,ga after a while) Any help would be brilliant and thank you to everyone in advance.. Mark ----- ---------- Mark Cooke Internet Operations Technician MM Group Ltd Tel: 8141 (Internal) Tel: (0117) 9168141 (External) Email: mark@mmebs.co.uk http://www.mmgroup.co.uk
On Tue, Mar 26, 2002 at 12:45:29PM +0000, Mark Cooke wrote:> I'm currently running it on a test server (before I roll it out to our 6 > live Linux box's) > And its starting to drag on and drive me mad. > > O/S: RedHat 7.1 > Samba: 2.2.3a > > Ive got the whole system working nearly perfectly, as samba uses the > 'MMGROUP+Domain Users' as the primary group, I wanted to restrict who can > use SSH and samba on the workstations. > So I created a specific group on the NT PDC called 'MMGROUP+Winbind' and In > there placed 5 users. > This generally works fine, by specifying in the /etc/ssh/sshd_config: > > AllowGroups MMGROUP+Winbind > > And also in the smb.conf file I've added: > > valid users = @MMGROUP+Winbind. > > I can allow access to who I require, just by adding them to the main group > on the PDC. > > Now heres the wacky bit... > > It works fine for a few days, even weeks, then all of a sudden some users > cannot login via ssh (but they can still browse the samba share) > These users settings have not changed on the PDC at all, their passwd's and > username have all stayed the same. > There is nothing different or weird about their accounts either. > Even removing them from the group, restarting samba and ssh and putting > them back in doesn't cure the problem. > > In /var/log/secure I get the same error's for all the users that cannot log in > (its not the same every time, the users can vary): > > sshd[15164]: User MMGROUP+mark not allowed because none of user's groups > are listed in AllowGroups > sshd[15164]: Failed password for illegal user MMGROUP+mark from > 192.168.1.231 port 1055 > > As you can see the section that says 'none of user's groups are listed in > AllowGroups' > yet the users are in the MMGROUP+Winbind, as running 'getent group' reviels > this & verifying this also on the NT PDC. > > If I comment out the Allowgroups from the sshd_config file they can log in > perfectly ok. > To be honest it looked like a ssh problem at first, but thinking about it > (and I may be wrong) > It looks like Winbind it not giving ssh back the correct users from that group. > I have tried different versions of ssh and samba and this is still hte same > error, as I mentioned earlier, for a while it works, so its very > intermittent, but one I get the errors listed above, thats it, it just > refuses to let those users login. > I did cure it once, by removing the affected users from the > MMGROUP+Winbind, then put them back in, but even that doesn't work anymore > for people. > The PDC and Winbind are talking to each other ok, as If I add or remove > users, it shows up on Winbind in about 10 seconds and again they work fine > (unless I add the AllowGoups to ssh, which goes ga,ga after a while)Try doing a wbinfo -r <user> to get the groups list for that user - what does it say ? Jeremy
How have you configured ssh to use winbind? Did you setup pam to do this? Could you give some specifics on how you are getting the account information to sshd. -- Brian ----- Original Message ----- From: "Mark Cooke" <mark@mmebs.co.uk> To: <samba@lists.samba.org> Sent: Tuesday, March 26, 2002 6:45 AM Subject: [Samba] Winbind/Samba + sshd incorrect groups> I'm currently running it on a test server (before I roll it out to our 6 > live Linux box's) > And its starting to drag on and drive me mad. > > O/S: RedHat 7.1 > Samba: 2.2.3a > > Ive got the whole system working nearly perfectly, as samba uses the > 'MMGROUP+Domain Users' as the primary group, I wanted to restrict who can > use SSH and samba on the workstations. > So I created a specific group on the NT PDC called 'MMGROUP+Winbind' andIn> there placed 5 users. > This generally works fine, by specifying in the /etc/ssh/sshd_config: > > AllowGroups MMGROUP+Winbind > > And also in the smb.conf file I've added: > > valid users = @MMGROUP+Winbind. > > I can allow access to who I require, just by adding them to the main group > on the PDC. > > Now heres the wacky bit... > > It works fine for a few days, even weeks, then all of a sudden some users > cannot login via ssh (but they can still browse the samba share) > These users settings have not changed on the PDC at all, their passwd'sand> username have all stayed the same. > There is nothing different or weird about their accounts either. > Even removing them from the group, restarting samba and ssh and putting > them back in doesn't cure the problem. > > In /var/log/secure I get the same error's for all the users that cannotlog in> (its not the same every time, the users can vary): > > sshd[15164]: User MMGROUP+mark not allowed because none of user's groups > are listed in AllowGroups > sshd[15164]: Failed password for illegal user MMGROUP+mark from > 192.168.1.231 port 1055 > > As you can see the section that says 'none of user's groups are listed in > AllowGroups' > yet the users are in the MMGROUP+Winbind, as running 'getent group'reviels> this & verifying this also on the NT PDC. > > If I comment out the Allowgroups from the sshd_config file they can log in > perfectly ok. > To be honest it looked like a ssh problem at first, but thinking about it > (and I may be wrong) > It looks like Winbind it not giving ssh back the correct users from thatgroup.> I have tried different versions of ssh and samba and this is still htesame> error, as I mentioned earlier, for a while it works, so its very > intermittent, but one I get the errors listed above, thats it, it just > refuses to let those users login. > I did cure it once, by removing the affected users from the > MMGROUP+Winbind, then put them back in, but even that doesn't work anymore > for people. > The PDC and Winbind are talking to each other ok, as If I add or remove > users, it shows up on Winbind in about 10 seconds and again they work fine > (unless I add the AllowGoups to ssh, which goes ga,ga after a while) > > Any help would be brilliant and thank you to everyone in advance.. > > Mark > > ----- > ---------- > Mark Cooke > Internet Operations Technician > MM Group Ltd > Tel: 8141 (Internal) > Tel: (0117) 9168141 (External) > Email: mark@mmebs.co.uk > http://www.mmgroup.co.uk > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
Ive just upgraded samba to 2.2.3a (before Ive checked my mail and its all working now correctly) But Iam not sure for how long. Ive set up the pam ssh module as below: (from what I can work out it correct, but I may be wrong) #%PAM-1.0 auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_limits.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=007 session optional /lib/security/pam_console.so Hope that helps. Currently I cannot get it to do it, as I mentioned Ive updated samba, I never got any reply from the mail I posted, so I figured no one had come across this before, so thats why I decided to update samba. Mark At 04:16 27/03/02, you wrote:>How have you configured ssh to use winbind? Did you setup pam to do this? >Could you give some specifics on how you are getting the account information >to sshd. > >-- >Brian >----- Original Message ----- >From: "Mark Cooke" <mark@mmebs.co.uk> >To: <samba@lists.samba.org> >Sent: Tuesday, March 26, 2002 6:45 AM >Subject: [Samba] Winbind/Samba + sshd incorrect groups >Now heres the wacky bit... > > > > It works fine for a few days, even weeks, then all of a sudden some users > > cannot login via ssh (but they can still browse the samba share) > > These users settings have not changed on the PDC at all, their passwd's >and > > username have all stayed the same. > > There is nothing different or weird about their accounts either. > > Even removing them from the group, restarting samba and ssh and putting > > them back in doesn't cure the problem. > > > > In /var/log/secure I get the same error's for all the users that cannot >log in > > (its not the same every time, the users can vary): > > > > sshd[15164]: User MMGROUP+mark not allowed because none of user's groups > > are listed in AllowGroups > > sshd[15164]: Failed password for illegal user MMGROUP+mark from > > 192.168.1.231 port 1055 > > > > >----- ---------- Mark Cooke Internet Operations Technician MM Group Ltd Tel: 8141 (Internal) Tel: (0117) 9168141 (External) Email: mark@mmebs.co.uk http://www.mmgroup.co.uk
>Sorry, I cannot give you that info at present, as I uupdated samba to >2.2.3a last night, as I never got any replys, so I don't it out of >desperation, as I figured I would be told to upgtrade to the latest anyway.but running the command at present (as its working correctly again) give the right information for the groups. But I will keep you posted when this does happen again (hopefully not) Thanks anyway and sorry for time wasting.. Mark But out of curiosity, what would the problem most likely be with? samba, pam, ssh? oh or me :-)>Try doing a wbinfo -r <user> to get the groups list >for that user - what does it say ? > >Jeremy > >-- >To unsubscribe from this list go to the following URL and read the >instructions: http://lists.samba.org/mailman/listinfo/samba----- ---------- Mark Cooke Internet Operations Technician MM Group Ltd Tel: 8141 (Internal) Tel: (0117) 9168141 (External) Email: mark@mmebs.co.uk http://www.mmgroup.co.uk
At 20:31 27/03/02, Andrew Bartlett wrote:>The problem is almost certainly in winbind - it could be that the DC is >tempoarily unavailable at that time, and the cache was not considered >valid. > >(well, thats my punt anyway)Hi Andrew, Thanks for that It was driving me mad, trying to figure out which one it could be. This is my winbind section from the smb.conf file (if it helps) # Windind configuration winbind separator = + winbind cache time = 10 template shell = /bin/bash template homedir = /home/%D/%U winbind uid = 10000-20000 winbind gid = 10000-20000 If this is a winbind problem, has it and could it be fixed in future? If it is a winbind problem (again), should I file a bug report? Thanks Again Mark ----- ---------- Mark Cooke Internet Operations Technician MM Group Ltd Tel: 8141 (Internal) Tel: (0117) 9168141 (External) Email: mark@mmebs.co.uk http://www.mmgroup.co.uk