Thank for your answer: But i dont know understand why is following not working: I want to restrict the ssh access for a special domain member: In my "sshd_config" i added: AllowGroups restrictaccess root With user2 im able to login via ssh! log: pam_krb5(sshd:auth): user user2 authenticated as user2 at ROOTRUDI.DE With user1 im not! log: User user1 from 192.168.0.100 not allowed because none of user's groups are listed in AllowGroups. Have a look to my email previously "id user2" shows the group "restrictaccess " and "id user1" doesn't show. And i guess thats the reason why user2 is able to login and user1 not? Thanks Micha Am 07.08.2018 um 12:41 schrieb Rowland Penny via samba:> On Tue, 7 Aug 2018 12:20:04 +0200 > Micha Ballmann via samba <samba at lists.samba.org> wrote: > >> Hello, >> >> my enviroment: >> >> All Servers are Ubuntun 16.04-18.04 >> >> SAMBA AD DC Server and several SAMABA DOMAIN MEMBER (connected via >> WINBIND). In ADDC I've created a group "restrictaccess" and added >> some users. >> >> Now when im typing "id <username>" on a Domain Member, for some users >> the group "restrictaccess" are listed for some not! >> >> For example: >> >> ON DC: >> >> # samba-tool group listmembers restrictaccess >> >> user1 >> user2 >> >> ON Domain Member: >> >> # id user1 >> >> uid=10065(user1) gid=10036(domain users) Gruppen=10036(domain >> users),3001(BUILTIN\users) >> >> # id user2 >> >> uid=20578(user2) gid=10036(domain users) Gruppen=10036(domain >> users),*10153(**restrictaccess**)*,3001(BUILTIN\users) >> >> smb.conf on Domain Member: >> >> [global] >> security = ads >> realm = rootrudi.de >> workgroup = ROOTRUDI >> idmap config *: backend = tdb >> idmap config *: range = 3000-7999 >> idmap config rootrudi:backend = ad >> idmap config rootrudi:range = 10000-999999 >> idmap config rootrudi:schema_mode = rfc2307 >> idmap config rootrudi:unix_nss_info = no >> template shell = /bin/bash >> template homedir = /home/%U >> domain master = No >> local master = No >> preferred master = No >> os level = 0 >> restrict anonymous = 2 >> winbind cache time = 10 >> winbind enum groups = Yes >> winbind enum users = Yes >> winbind use default domain = Yes >> map acl inherit = Yes >> store dos attributes = Yes >> vfs objects = acl_xattr >> >> What happened? >> > Nothing, it is just that the user will not be logged in, this is from a > unix domain member that the user 'emily' isn't logged into: > > id emily > uid=10001(emily) gid=10000(domain users) groups=10000(domain users),2001(BUILTIN\users) > > And from one where she is: > > id emily > uid=10001(emily) gid=10000(domain_users) groups=10000(domain_users),10002(unixgroup),10010(group12),2001(BUILTIN\users) > > Rowland > >
On Tue, 7 Aug 2018 13:15:00 +0200 Micha Ballmann <ballmann at uni-landau.de> wrote:> Thank for your answer: > > But i dont know understand why is following not working: > > I want to restrict the ssh access for a special domain member: > > In my "sshd_config" i added: > > AllowGroups restrictaccess root > > With user2 im able to login via ssh! > > log: pam_krb5(sshd:auth): user user2 authenticated as > user2 at ROOTRUDI.DE > > With user1 im not! > > log: User user1 from 192.168.0.100 not allowed because none of user's > groups are listed in AllowGroups. > > Have a look to my email previously "id user2" shows the group > "restrictaccess " and "id user1" doesn't show. And i guess thats the > reason why user2 is able to login and user1 not?No, once a user logs in (or attempts to) winbind should be able to fill in the missing info. What 'lib*.*' packages did you install with Samba ? Rowland
I guess thats the problem?! But why is it working for some users and for some not? I ve rebooted the server several times, to insure nobody is logged in. # id user1 # id user2 Shows the same output like before. My installed lib's: # ls /lib/x86_64-linux-gnu/ device-mapper ld-2.23.so ld-linux-x86-64.so.2 libacl.so.1 libacl.so.1.1.0 libaio.so.1 libaio.so.1.0.1 libanl-2.23.so libanl.so.1 libapparmor.so.1 libapparmor.so.1.4.0 libatm.so.1 libatm.so.1.0.0 libattr.so.1 libattr.so.1.1.0 libaudit.so.1 libaudit.so.1.0.0 libblkid.so.1 libblkid.so.1.1.0 libBrokenLocale-2.23.so libBrokenLocale.so.1 libbsd.so.0 libbsd.so.0.8.2 libbz2.so.1 libbz2.so.1.0 libbz2.so.1.0.4 libc-2.23.so libcap.so.2 libcap.so.2.24 libcidn-2.23.so libcidn.so.1 libcom_err.so.2 libcom_err.so.2.1 libcrypt-2.23.so libcrypto.so.1.0.0 libcryptsetup.so.4 libcryptsetup.so.4.6.0 libcrypt.so.1 libc.so.6 libdbus-1.so.3 libdbus-1.so.3.14.6 libdevmapper-event-lvm2mirror.so libdevmapper-event-lvm2raid.so libdevmapper-event-lvm2snapshot.so libdevmapper-event-lvm2.so.2.02 libdevmapper-event-lvm2thin.so libdevmapper-event.so.1.02.1 libdevmapper.so.1.02.1 libdl-2.23.so libdl.so.2 libdns-export.so.162 libdns-export.so.162.1.3 libe2p.so.2 libe2p.so.2.3 libexpat.so.1 libexpat.so.1.6.0 libext2fs.so.2 libext2fs.so.2.4 libfdisk.so.1 libfdisk.so.1.1.0 libfuse.so.2 libfuse.so.2.9.4 libgcc_s.so.1 libgcrypt.so.20 libgcrypt.so.20.0.5 libglib-2.0.so.0 libglib-2.0.so.0.4800.2 libgpg-error.so.0 libgpg-error.so.0.17.0 libhistory.so.5 libhistory.so.5.2 libhistory.so.6 libhistory.so.6.3 libip4tc.so.0 libip4tc.so.0.1.0 libip6tc.so.0 libip6tc.so.0.1.0 libiptc.so.0 libiptc.so.0.0.0 libisc-export.so.160 libisc-export.so.160.0.0 libjson-c.so.2 libjson-c.so.2.0.0 libkeyutils.so.1 libkeyutils.so.1.5 libkmod.so.2 libkmod.so.2.3.0 liblvm2app.so.2.2 liblvm2cmd.so.2.02 liblzma.so.5 liblzma.so.5.0.0 liblzo2.so.2 liblzo2.so.2.0.0 libm-2.23.so libmemusage.so libmnl.so.0 libmnl.so.0.1.0 libmount.so.1 libmount.so.1.1.0 libm.so.6 libmvec-2.23.so libmvec.so.1 libncurses.so.5 libncurses.so.5.9 libncursesw.so.5 libncursesw.so.5.9 libnewt.so.0.52 libnewt.so.0.52.18 libnih.so.1 libnih.so.1.0.0 libnl-3.so.200 libnl-3.so.200.22.0 libnl-genl-3.so.200 libnl-genl-3.so.200.22.0 libnsl-2.23.so libnsl.so.1 libnss_compat-2.23.so libnss_compat.so.2 libnss_dns-2.23.so libnss_dns.so.2 libnss_files-2.23.so libnss_files.so.2 libnss_hesiod-2.23.so libnss_hesiod.so.2 libnss_nis-2.23.so libnss_nisplus-2.23.so libnss_nisplus.so.2 libnss_nis.so.2 libntfs-3g.so.861 libntfs-3g.so.861.0.0 libpamc.so.0 libpamc.so.0.82.1 libpam_misc.so.0 libpam_misc.so.0.82.0 libpam.so.0 libpam.so.0.83.1 libparted.so.2 libparted.so.2.0.1 libpci.so.3 libpci.so.3.3.1 libpcprofile.so libpcre.so.3 libpcre.so.3.13.2 libply-boot-client.so.4 libply-boot-client.so.4.0.0 libply.so.4 libply.so.4.0.0 libply-splash-core.so.4 libply-splash-core.so.4.0.0 libply-splash-graphics.so.4 libply-splash-graphics.so.4.0.0 libpng12.so.0 libpng12.so.0.54.0 libpopt.so.0 libpopt.so.0.0.0 libprocps.so.4 libprocps.so.4.0.0 libpthread-2.23.so libpthread.so.0 libreadline.so.5 libreadline.so.5.2 libreadline.so.6 libreadline.so.6.3 libresolv-2.23.so libresolv.so.2 librt-2.23.so librt.so.1 libseccomp.so.2 libseccomp.so.2.3.1 libSegFault.so libselinux.so.1 libsepol.so.1 libslang.so.2 libslang.so.2.3.0 libsmartcols.so.1 libsmartcols.so.1.1.0 libssl.so.1.0.0 libss.so.2 libss.so.2.0 libsystemd.so.0 libsystemd.so.0.14.0 libthread_db-1.0.so libthread_db.so.1 libtinfo.so.5 libtinfo.so.5.9 libudev.so.1 libudev.so.1.6.4 libulockmgr.so.1 libulockmgr.so.1.0.1 libusb-0.1.so.4 libusb-0.1.so.4.4.4 libusb-1.0.so.0 libusb-1.0.so.0.1.0 libutil-2.23.so libutil.so.1 libuuid.so.1 libuuid.so.1.3.0 libwrap.so.0 libwrap.so.0.7.6 libxtables.so.11 libxtables.so.11.0.0 libz.so.1 libz.so.1.2.8 security # ls /lib/x86_64-linux-gnu/security/ pam_access.so pam_cifscreds.so pam_debug.so pam_deny.so pam_echo.so pam_env.so pam_exec.so pam_extrausers.so pam_faildelay.so pam_filter.so pam_ftp.so pam_group.so pam_issue.so pam_keyinit.so pam_krb5.so pam_lastlog.so pam_limits.so pam_listfile.so pam_localuser.so pam_loginuid.so pam_mail.so pam_mkhomedir.so pam_motd.so pam_namespace.so pam_nologin.so pam_permit.so pam_pwhistory.so pam_rhosts.so pam_rootok.so pam_securetty.so pam_selinux.so pam_sepermit.so pam_shells.so pam_stress.so pam_succeed_if.so pam_systemd.so pam_tally2.so pam_tally.so pam_time.so pam_timestamp.so pam_tty_audit.so pam_umask.so pam_unix.so pam_userdb.so pam_warn.so pam_wheel.so pam_winbind.so pam_xauth.so Thanks Micha PS: I've this behavior of each domain member. But not with the same result. Its pretty confusing and i cant find any logical context. Am 07.08.2018 um 13:49 schrieb Rowland Penny via samba:> On Tue, 7 Aug 2018 13:15:00 +0200 > Micha Ballmann <ballmann at uni-landau.de> wrote: > >> Thank for your answer: >> >> But i dont know understand why is following not working: >> >> I want to restrict the ssh access for a special domain member: >> >> In my "sshd_config" i added: >> >> AllowGroups restrictaccess root >> >> With user2 im able to login via ssh! >> >> log: pam_krb5(sshd:auth): user user2 authenticated as >> user2 at ROOTRUDI.DE >> >> With user1 im not! >> >> log: User user1 from 192.168.0.100 not allowed because none of user's >> groups are listed in AllowGroups. >> >> Have a look to my email previously "id user2" shows the group >> "restrictaccess " and "id user1" doesn't show. And i guess thats the >> reason why user2 is able to login and user1 not? > No, once a user logs in (or attempts to) winbind should be able to fill > in the missing info. > > What 'lib*.*' packages did you install with Samba ? > > Rowland >