The "short" version on why multiple groups here. For all my member servers apply the following. This line :> > AllowGroups servers-ssh sshgroupThere are 2, linux only Admin accounts, ( local accounts ) And, only if these are member of the "local group" sshgroup then your allowed to login. Only users that are allowed to login with ssh on these servers and are member of the "servers-ssh" group. Both user and group MUST have UID/GID. In my setup its not allowed to login as a Windows Admin in linux. Users must use sudo if they are allowed. I only have : Domain DC's Domain Member's Windows Workstations. I dont have Linux Workstations. ( but im working on that part ) And thats also more confusing, but a linux workstion can be treated same as a Domain Member.. Im assuming you want to login from a Linux Workstations into a Domain Member, With ssh, then only the Domain Member has the group option. But this is more how YOU want it. If you dont needed groups to control ssh logins from add, then you can leave them out. Its optional, only i do this so i can secure and controll some parts better. This is or can be a problem. sshgroup:x:998:adminlinux If you install as my howto's show, then root has no password and is not allowed to login. The first created user is always UID 1000, (minimal) The first user also is allowed to use sudo. And, kerberos sets : password [success=3 default=ignore] pam_krb5.so minimum_uid=1000 <<< NOTE !!!! password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password [success=1 default=ignore] pam_winbind.so try_authtok try_first_pass So only minimal UID 1000 is allowed to use kerberos auth. I hope aboves helps to fix it.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Robert Wooden via samba > Verzonden: zondag 27 september 2020 13:58 > Aan: Rowland penny > CC: sambalist > Onderwerp: Re: [Samba] Debian client/workstation pam_mount > > The sshgroup exists on the client/workstation: > > > root at lws4:~# cat /etc/groups > > > ..................... > > > sshgroup:x:998:adminlinux > > > ..................... > > > > But, on my member server that acts as a fileserver for domain users > (redirected) files there is no "sshgroup" at this time. > > The AD has server-ssh group: > > > root at dc1:~# samba-tool group listmembers server-ssh > > tuser17 > > tuser16 > > > > I went back and found Louis' email where he explained these > two groups. > Here is part of that email: > > > Created "server-ssh" group in AD and gave it a GID. > > Add the needed windows users that are allowed to ssh in the server, > > only windows users in this one. > > > > Create group "sshgroup" on member server (in Debian?) > <<<<<< maybe > > Louis meant member fileserver and not client/workstation and I > > misunderstood? > > yes, add the admin users for the system ( ONLY linux users here) > > > > First, let me clarify, I am not saying Louis is incorrect > here but rather i > think I misunderstood. > > For me this 'client/workstation/member server' computers > (generic machines > names) names get merged together and *create confusion*. > > Here is where I think (IMHO) the Linux (Debian, in my case) > client/workstations (C/W) are a different type of machine on > the network > and yet carry many of the same characteristics of all member servers > (fileserver) just without any local (on the > client/workstations) shares. > Maybe these machines should be called "client/workstation members" and > member fileserver should be referred to as "member file > servers" serving > files to domain users logging into to a "client/workstation members" > weather it be a Linux based C/W or a W10 based C/W? And not "lump" all > member server (file servers) and linux based member servers (who are > actually a client/workstation) together as all member servers? > > Like so: > W10 client/workstation or W10 C/W for short. > Linux client/workstation or Linux C/W for short. > Domain Controller is a DC (of course). > Domain member server is a member file server for the domain > C/W's domain > users are logging into. > > Is the "sshgroup" to be created on the member server > (fileserver) that is > the file server for the W10/Debian client/workstations (C/W) > domain users? > Or, on both the fileserver and the Debian client/workstations > (C/W)? Or, > only on the client/workstations (C/W)? > > Your suggesting that 'tuser16' needs to be a member of > 'sshgroup' and I do > not understand how to make a domain user (tuser16) a member of a linux > group on a member server or a client/workstation? > > Perhaps you see now why I may have confused what users get > what group on > what domain computer? > > On Sat, Sep 26, 2020 at 10:34 AM Rowland penny > <rpenny at samba.org> wrote: > > > On 26/09/2020 16:23, Robert Wooden wrote: > > > Okay, now so I don't get confused. > > > Yes, /home/WKDOM/tuser16 does exist on the client/workstation. > > > > > > root at lws4:~# getent group > > > root:x:0: > > > /..snipped for brevity../ > > > > > > winbindd_priv:x:129: > > > sshgroup:x:998:adminlinux > > > postfix:x:130: > > > > > > ..snipped for brevity.. > > > > > > > > > There is no servers-ssh group on the C/W. (I have a > server-ssh group > > > somewhere per Louis' instructions, just not on a C/W.) > Should there be > > > a servers-ssh group on a C/W? > > > > > > And notice that tuser16 is not a member of "sshgroup". > > > > Then that is likely to be your problem, you posted your > sshd config and > > it had this line: > > > > AllowGroups servers-ssh sshgroup > > > > So, if 'servers-ssh' doesn't exist and tuser16 isn't a member of > > 'sshgroup', then 'tuser16' will never log in, either add > 'tuser16' to > > the 'sshgroup' or remove that line from your sshd conf or use a user > > that is a member of 'sshgroup'. > > > > Rowland > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Louis, You said:> For all my member servers *apply the following*. >This line :> > > AllowGroups servers-ssh sshgroup >"apply the following" where???? There are 2, linux only Admin accounts, ( local accounts )> And, only if these are member of the "local group" sshgroup > then your allowed to login. >Not sure I understand here. I have a linux admin user named "adminlinux" (You do linuxadmin, I think) and of course 'root'. (I do not use root for any thing connected with AD.) What two (2) "linux only" admin accounts are you talking about??> Only users that are allowed to login with ssh on these servers > and are member of the "servers-ssh" group. > Both user and group MUST have UID/GID. >All domain/users are members of "server-ssh" group have UID and GID. I have a Debian domain member (computer) that can log as an AD member like the W10 domain member. These logins via domain users accounts (SAMDOM\user for example.) This is or can be a problem.> sshgroup:x:998:adminlinux >The only linux user I have on any linux domain member (computer) is "adminlinux" that is basically only used when I ssh in for maintenance. And, kerberos sets :> > password [success=3 default=ignore] pam_krb5.so > minimum_uid=1000 <<< NOTE !!!! > password [success=2 default=ignore] pam_unix.so obscure > use_authtok try_first_pass sha512 > password [success=1 default=ignore] pam_winbind.so try_authtok > try_first_pass > > So only minimal UID 1000 is allowed to use kerberos auth. >This does not look like the content in /etc/krb5.conf? Looks more like a pam_mount config file? So, I am not sure what your thinking process was nor what I should do? On Mon, Sep 28, 2020 at 4:01 AM L.P.H. van Belle via samba < samba at lists.samba.org> wrote:> The "short" version on why multiple groups here. > > For all my member servers apply the following. > This line : > > > AllowGroups servers-ssh sshgroup > > There are 2, linux only Admin accounts, ( local accounts ) > And, only if these are member of the "local group" sshgroup > then your allowed to login. > > Only users that are allowed to login with ssh on these servers > and are member of the "servers-ssh" group. > Both user and group MUST have UID/GID. > In my setup its not allowed to login as a Windows Admin in linux. > Users must use sudo if they are allowed. > > > I only have : > Domain DC's > Domain Member's > Windows Workstations. > I dont have Linux Workstations. ( but im working on that part ) > And thats also more confusing, but a linux workstion can be treated same > as a > Domain Member.. > > Im assuming you want to login from a Linux Workstations into a Domain > Member, > With ssh, then only the Domain Member has the group option. > > But this is more how YOU want it. > If you dont needed groups to control ssh logins from add, then you can > leave them out. > Its optional, only i do this so i can secure and controll some parts > better. > > This is or can be a problem. > sshgroup:x:998:adminlinux > > If you install as my howto's show, then root has no password and is not > allowed to login. > The first created user is always UID 1000, (minimal) > The first user also is allowed to use sudo. > > And, kerberos sets : > > password [success=3 default=ignore] pam_krb5.so > minimum_uid=1000 <<< NOTE !!!! > password [success=2 default=ignore] pam_unix.so obscure > use_authtok try_first_pass sha512 > password [success=1 default=ignore] pam_winbind.so try_authtok > try_first_pass > > So only minimal UID 1000 is allowed to use kerberos auth. > > > I hope aboves helps to fix it.. > > Greetz, > > Louis > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Robert Wooden via samba > > Verzonden: zondag 27 september 2020 13:58 > > Aan: Rowland penny > > CC: sambalist > > Onderwerp: Re: [Samba] Debian client/workstation pam_mount > > > > The sshgroup exists on the client/workstation: > > > > > root at lws4:~# cat /etc/groups > > > > > ..................... > > > > > sshgroup:x:998:adminlinux > > > > > ..................... > > > > > > > But, on my member server that acts as a fileserver for domain users > > (redirected) files there is no "sshgroup" at this time. > > > > The AD has server-ssh group: > > > > > root at dc1:~# samba-tool group listmembers server-ssh > > > tuser17 > > > tuser16 > > > > > > > I went back and found Louis' email where he explained these > > two groups. > > Here is part of that email: > > > > > Created "server-ssh" group in AD and gave it a GID. > > > Add the needed windows users that are allowed to ssh in the server, > > > only windows users in this one. > > > > > > Create group "sshgroup" on member server (in Debian?) > > <<<<<< maybe > > > Louis meant member fileserver and not client/workstation and I > > > misunderstood? > > > yes, add the admin users for the system ( ONLY linux users here) > > > > > > > First, let me clarify, I am not saying Louis is incorrect > > here but rather i > > think I misunderstood. > > > > For me this 'client/workstation/member server' computers > > (generic machines > > names) names get merged together and *create confusion*. > > > > Here is where I think (IMHO) the Linux (Debian, in my case) > > client/workstations (C/W) are a different type of machine on > > the network > > and yet carry many of the same characteristics of all member servers > > (fileserver) just without any local (on the > > client/workstations) shares. > > Maybe these machines should be called "client/workstation members" and > > member fileserver should be referred to as "member file > > servers" serving > > files to domain users logging into to a "client/workstation members" > > weather it be a Linux based C/W or a W10 based C/W? And not "lump" all > > member server (file servers) and linux based member servers (who are > > actually a client/workstation) together as all member servers? > > > > Like so: > > W10 client/workstation or W10 C/W for short. > > Linux client/workstation or Linux C/W for short. > > Domain Controller is a DC (of course). > > Domain member server is a member file server for the domain > > C/W's domain > > users are logging into. > > > > Is the "sshgroup" to be created on the member server > > (fileserver) that is > > the file server for the W10/Debian client/workstations (C/W) > > domain users? > > Or, on both the fileserver and the Debian client/workstations > > (C/W)? Or, > > only on the client/workstations (C/W)? > > > > Your suggesting that 'tuser16' needs to be a member of > > 'sshgroup' and I do > > not understand how to make a domain user (tuser16) a member of a linux > > group on a member server or a client/workstation? > > > > Perhaps you see now why I may have confused what users get > > what group on > > what domain computer? > > > > On Sat, Sep 26, 2020 at 10:34 AM Rowland penny > > <rpenny at samba.org> wrote: > > > > > On 26/09/2020 16:23, Robert Wooden wrote: > > > > Okay, now so I don't get confused. > > > > Yes, /home/WKDOM/tuser16 does exist on the client/workstation. > > > > > > > > root at lws4:~# getent group > > > > root:x:0: > > > > /..snipped for brevity../ > > > > > > > > winbindd_priv:x:129: > > > > sshgroup:x:998:adminlinux > > > > postfix:x:130: > > > > > > > > ..snipped for brevity.. > > > > > > > > > > > > There is no servers-ssh group on the C/W. (I have a > > server-ssh group > > > > somewhere per Louis' instructions, just not on a C/W.) > > Should there be > > > > a servers-ssh group on a C/W? > > > > > > > > And notice that tuser16 is not a member of "sshgroup". > > > > > > Then that is likely to be your problem, you posted your > > sshd config and > > > it had this line: > > > > > > AllowGroups servers-ssh sshgroup > > > > > > So, if 'servers-ssh' doesn't exist and tuser16 isn't a member of > > > 'sshgroup', then 'tuser16' will never log in, either add > > 'tuser16' to > > > the 'sshgroup' or remove that line from your sshd conf or use a user > > > that is a member of 'sshgroup'. > > > > > > Rowland > > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hai Bob, Van: Robert Wooden [mailto:wdn2420systm at gmail.com] Verzonden: maandag 28 september 2020 23:37 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Debian client/workstation pam_mount Louis, You said: For all my member servers apply the following.? This line :> > AllowGroups servers-ssh sshgroup?? "apply the following" where???? There are 2, linux only Admin accounts, ( local accounts ) ? ?And, only if these are member of the "local group" sshgroup ? ?then your allowed to login. Not sure I understand here. I have a linux admin user named "adminlinux" (You do linuxadmin, I think) and of course 'root'. (I do not use root for any thing connected with AD.) What two (2) "linux only" admin accounts are you talking about??? The?2?accounts "You" setup to manage the system if your unable to login with a windows account.? No, i never ever use or let root be able to login, root is always disabled in my setup. ? Only users that are allowed to login with ssh on these servers ? ?and are member of the "servers-ssh" group. ? ?Both user and group MUST have UID/GID. All domain/users are members of "server-ssh" group have UID and GID. I have a Debian domain member (computer) that can log as an AD member like the W10 domain member. These logins via domain users accounts (SAMDOM\user for example.) This is or can be a problem. sshgroup:x:998:adminlinux?? Its not a problem if the group is?below?1000, sorry i've misread that. just make sure you can login if your user is below the 1000. The only linux user I have on any linux domain member (computer) is "adminlinux" that is basically only used when I ssh in for maintenance. Ok thats good, but what if you cant login with?adminlinux ?? .. thats why i have 2 accounts. ??? And, kerberos sets : password? ? ? ? [success=3 default=ignore]? ? ? pam_krb5.so minimum_uid=1000? ? ? ? ? ? <<< NOTE !!!!? password? ? ? ? [success=2 default=ignore]? ? ? pam_unix.so obscure use_authtok try_first_pass sha512 password? ? ? ? [success=1 default=ignore]? ? ? pam_winbind.so try_authtok try_first_pass So only minimal UID 1000 is allowed to use kerberos auth. ??? ?This does not look like the content in /etc/krb5.conf? Looks more like a pam_mount config file? ??? ?So, I am not sure what your thinking process was nor what I should do?? above? is?from /etc/pam.d/common-password? Personaly i dont change manual in pam. ? And you could use?something like this if you need other settings in krb5.conf ?[appdefaults] ??? forwardable = true ?? ; proxiable = true ?? ; ticket_lifetime = 24h ?? ; ccache_type = 4?? ??? pam = {? ??????? ignore_k5login = true? ??????? minimum_uid = 1000 ????????YOUR.REALM.HERE = { ??????? } ??? } On Mon, Sep 28, 2020 at 4:01 AM L.P.H. van Belle via samba <samba at lists.samba.org> wrote: The "short" version on why multiple groups here. For all my member servers apply the following. This line :> > AllowGroups servers-ssh sshgroupThere are 2, linux only Admin accounts, ( local accounts ) ? ?And, only if these are member of the "local group" sshgroup ? ?then your allowed to login. Only users that are allowed to login with ssh on these servers ? ?and are member of the "servers-ssh" group. ? ?Both user and group MUST have UID/GID. ? ?In my setup its not allowed to login as a Windows Admin in linux. ? ?Users must use sudo if they are allowed. I only have : Domain DC's Domain Member's Windows Workstations. I dont have Linux Workstations. ( but im working on that part ) And thats also more confusing, but a linux workstion can be treated same as a Domain Member.. Im assuming you want to login from a Linux Workstations into a Domain Member, With ssh, then only the Domain Member has the group option. But this is more how YOU want it. If you dont needed groups to control ssh logins from add, then you can leave them out. Its optional, only i do this so i can secure and controll some parts better. This is or can be a problem. sshgroup:x:998:adminlinux If you install as my howto's show, then root has no password and is not allowed to login. The first created user is always UID 1000, (minimal) The first user also is allowed to use sudo. And, kerberos sets : password? ? ? ? [success=3 default=ignore]? ? ? pam_krb5.so minimum_uid=1000? ? ? ? ? ? <<< NOTE !!!!? password? ? ? ? [success=2 default=ignore]? ? ? pam_unix.so obscure use_authtok try_first_pass sha512 password? ? ? ? [success=1 default=ignore]? ? ? pam_winbind.so try_authtok try_first_pass So only minimal UID 1000 is allowed to use kerberos auth. I hope aboves helps to fix it.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Robert Wooden via samba > Verzonden: zondag 27 september 2020 13:58 > Aan: Rowland penny > CC: sambalist > Onderwerp: Re: [Samba] Debian client/workstation pam_mount > > The sshgroup exists on the client/workstation: > > > root at lws4:~# cat /etc/groups > > > ..................... > > >? sshgroup:x:998:adminlinux > > > ..................... > > > > But, on my member server that acts as a fileserver for domain users > (redirected) files there is no "sshgroup" at this time. > > The AD has server-ssh group: > > > root at dc1:~# samba-tool group listmembers server-ssh > > tuser17 > > tuser16 > > > >? I went back and found Louis' email where he explained these > two groups. > Here is part of that email: > > > Created "server-ssh" group in AD and gave it a GID. > > Add the needed windows users that are allowed to ssh in the server, > > only windows users in this one. > > > > Create group "sshgroup" on member server (in Debian?)? ? ? > <<<<<< maybe > > Louis meant member fileserver and not client/workstation and I > > misunderstood? > > yes, add the admin users for the system ( ONLY linux users here) > > > > First, let me clarify, I am not saying Louis is incorrect > here but rather i > think I misunderstood. > > For me this 'client/workstation/member server' computers > (generic machines > names) names get merged together and *create confusion*. > > Here is where I think (IMHO) the Linux (Debian, in my case) > client/workstations (C/W) are a different type of machine on > the network > and yet carry many of the same characteristics of all member servers > (fileserver) just without any local (on the > client/workstations) shares. > Maybe these machines should be called "client/workstation members" and > member fileserver should be referred to as "member file > servers" serving > files to domain users logging into to a "client/workstation members" > weather it be a Linux based C/W or a W10 based C/W? And not "lump" all > member server (file servers) and linux based member servers (who are > actually a client/workstation) together as all member servers? > > Like so: > W10 client/workstation or W10 C/W for short. > Linux client/workstation or Linux C/W for short. > Domain Controller is a DC (of course). > Domain member server is a member file server for the domain > C/W's domain > users are logging into. > > Is the "sshgroup" to be created on the member server > (fileserver) that is > the file server for the W10/Debian client/workstations (C/W) > domain users? > Or, on both the fileserver and the Debian client/workstations > (C/W)? Or, > only on the client/workstations (C/W)? > > Your suggesting that 'tuser16' needs to be a member of > 'sshgroup' and I do > not understand how to make a domain user (tuser16) a member of a linux > group on a member server or a client/workstation? > > Perhaps you see now why I may have confused what users get > what group on > what domain computer? > > On Sat, Sep 26, 2020 at 10:34 AM Rowland penny > <rpenny at samba.org> wrote: > > > On 26/09/2020 16:23, Robert Wooden wrote: > > > Okay, now so I don't get confused. > > > Yes, /home/WKDOM/tuser16 does exist on the client/workstation. > > > > > >? ? ?root at lws4:~# getent group > > >? ? ?root:x:0: > > >? ? ?/..snipped for brevity../ > > > > > >? ? ?winbindd_priv:x:129: > > >? ? ?sshgroup:x:998:adminlinux > > >? ? ?postfix:x:130: > > > > > >? ? ?..snipped for brevity.. > > > > > > > > > There is no servers-ssh group on the C/W. (I have a > server-ssh group > > > somewhere per Louis' instructions, just not on a C/W.) > Should there be > > > a servers-ssh group on a C/W? > > > > > > And notice that tuser16 is not a member of "sshgroup". > > > > Then that is likely to be your problem, you posted your > sshd config and > > it had this line: > > > > AllowGroups servers-ssh sshgroup > > > > So, if 'servers-ssh' doesn't exist and tuser16 isn't a member of > > 'sshgroup', then 'tuser16' will never log in, either add > 'tuser16' to > > the 'sshgroup' or remove that line from your sshd conf or use a user > > that is a member of 'sshgroup'. > > > > Rowland > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions:? https://lists.samba.org/mailman/options/samba > >-- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba
On 29/09/2020 08:00, L.P.H. van Belle via samba wrote:> Hai Bob, > > There are 2, linux only Admin accounts, ( local accounts ) > ? ?And, only if these are member of the "local group" sshgroup > ? ?then your allowed to login. > >OK, I have removed virtually all that was posted, it was very hard to follow :-( My understanding of this is that if you set 'AllowGroups' in sshd_config, then only the users that are members of the groups that you set with 'AllowGroups' will be able to login. It sounds to me that Louis uses two groups, one that is a local Unix group (it is in /etc/group) and another that is an AD group which becomes a Unix group by either using the winbind 'rid' backend or using the 'ad backend and giving the group a gidNumber attribute. If you only used an AD group and (for what ever reason) AD went down, very probably no user would be able to login via ssh, this is why it is suggested to use two groups. You do not need to use 'AllowGroups', it is just another layer of security, talking of which, I would suggest you do not login as root via ssh, use a normal user and use sudo. Finally we come to that '1000' number in /etc/pam.d/common-* , this really should be set to whatever you set as the low range in the DOMAIN idmap config line in your smb.conf. Rowland
Rowland, My hero, Thats exact what i ment.. Thanks to make it better to read.. :-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: dinsdag 29 september 2020 10:18 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Debian client/workstation pam_mount > > On 29/09/2020 08:00, L.P.H. van Belle via samba wrote: > > Hai Bob, > > > > There are 2, linux only Admin accounts, ( local accounts ) > > ? ?And, only if these are member of the "local group" sshgroup > > ? ?then your allowed to login. > > > > > OK, I have removed virtually all that was posted, it was very hard to > follow :-( > > My understanding of this is that if you set 'AllowGroups' in > sshd_config, then only the users that are members of the > groups that you > set with 'AllowGroups' will be able to login. > > It sounds to me that Louis uses two groups, one that is a local Unix > group (it is in /etc/group) and another that is an AD group which > becomes a Unix group by either using the winbind 'rid' > backend or using > the 'ad backend and giving the group a gidNumber attribute. > > If you only used an AD group and (for what ever reason) AD went down, > very probably no user would be able to login via ssh, this is > why it is > suggested to use two groups. You do not need to use > 'AllowGroups', it is > just another layer of security, talking of which, I would > suggest you do > not login as root via ssh, use a normal user and use sudo. > > Finally we come to that '1000' number in /etc/pam.d/common-* , this > really should be set to whatever you set as the low range in > the DOMAIN > idmap config line in your smb.conf. > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >