samba - Feb 2021 - Group membership not updating on one DC only

On 24.02.2021 10:53, Rowland penny via samba wrote:
> On 24/02/2021 09:36, Matthias K?hne | Ellerhold AG via samba wrote:
>> Hello,
>>
>> I just asked the user to ssh into DC1. And lo and behold after that he
>> has the correct groups.
>>
>> I let him connect to a fileserver via SMB and it updated the groups
>> correctly too. Yay
>
>
> Yes, you can only rely on a users groups being correct after the user 
> has logged in.
>
>>
>>
>> So it seems like the cache (on a Domain Member and on a DC) only gets
>> updated if the user connects to it. net cache flush doesnt seem to do
>> anything here.
>
>
> 'net cache flush' empties the winbind cache, so this wouldn't
fix the
> problem you were having.
>
>> Winbind Offline Logon is enabled. Is this the / a problem?
>
>
> No, offline logon relies on the winbind cache being somewhere that 
> survives a reboot (which on Debian it doesn't), so you need the users 
> data in the cache to begin with and this means the user has logged in 
> at least once.
>
>>
>> Is there any command I could run to update the groups without asking
the
>> user to login to the machine?
>>
>
> You could run 'wbinfo -a username', but this will mean that you
must
> know the users password.
>
> Why do you need to know what groups a user is a member of ?
Match group admin-group
 ? AllowUsers *
Match group remotessh
 ? AllowUsers *

in /etc/ssh/sshd_config comes to mind... Thanks,

Christian

On 24/02/2021 21:20, Christian via samba wrote:
>
>> Why do you need to know what groups a user is a member of ?
> Match group admin-group
> ? AllowUsers *
> Match group remotessh
> ? AllowUsers *
>
> in /etc/ssh/sshd_config comes to mind... Thanks,

That is a valid reason, well it would be except for the fact that 
disabled users can still login via SSH.

I wonder if you could use kerberos instead of keys along with the groups 
? Never tried it, just thinking out loud.

Rowland

Heyho,

we've done some more tests (debian buster and samba 4.13.4).

Restricting SSH-access via the sshd_config to a certain group does not 
work. SSH tests group membership BEFORE winbind can update the groups. 
And if SSHd has denied you, winbind wont update the groups you're in.


Scenario A: User get this group and tries to connect. SSHd tests the 
groups of the user, determines that the user is not part of the group 
and denys him (seen in auth.log). It still asks for your password but 
this wont do anything. You're not in the group -> denied forever.

Scenario B: User is in the group gets expelled. He tries to connect and 
SSHd allows it (because the user is in the group). After the successfull 
auth with PW winbind updates the group and the next SSH connection would 
fail.

Scenario C: User uses public-key auth. Winbind never updates the groups 
and the user can login forever (if he/she was in the group) or never (if 
he/she weren't).


We got it working though!

1. Disable Public-Key Auth for samba-users.

2. Remove AllowUsers & AllowGroups from the sshd_config

3. Edit /etc/pam.d/sshd : uncomment the line with pam_access.so and add 
[accessfile=/etc/security/pam_access_sshd.conf] to the line.

4. Create /etc/security/pam_access_sshd.conf with this content:

4.1. For every "allowed SSH group" add
"+:DOMAIN\my-ssh-group:ALL"

4.2. Add "-:ALL:ALL" at the end to deny everyone else

5. Test it.


This way SSHd does not validate the groups and allows every valid user. 
Winbind updates the group membership and after that pam_access denies 
the user if its not in the right group.

PubKey-Auth still doesnt work though :/


This should work for Debian and any other system with PAM. IDK if any 
other distro has a similar system with which you could achieve the same 
thing.


Am 24.02.21 um 22:42 schrieb Rowland penny via samba:
> On 24/02/2021 21:20, Christian via samba wrote:
>>
>>> Why do you need to know what groups a user is a member of ?
>> Match group admin-group
>> ? AllowUsers *
>> Match group remotessh
>> ? AllowUsers *
>>
>> in /etc/ssh/sshd_config comes to mind... Thanks,
>
>
> That is a valid reason, well it would be except for the fact that 
> disabled users can still login via SSH.
>
> I wonder if you could use kerberos instead of keys along with the 
> groups ? Never tried it, just thinking out loud.
>
> Rowland
-- 
Matthias K?hne
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Telefax: +49 (0) 351 83933-99

Web     www.ellerhold.de
Twitter www.twitter.com/Ellerhold_AG
Youtube www.youtube.com/user/ellerholdgruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold




 
----------------
Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie
nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um
sofortiges l?schen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier:
http://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not
the intended recipient, please notify us and immediately delete this e-mail and
its attachments.

You can find our privacy policy here: http://www.ellerhold.de/datenschutz/

Strange, i use all you describe below and all work on my member server. 
Do all groups your using have a GID assigned? 
And added to this i also use automounted homedirs.. 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Matthias K?hne
|
> Ellerhold AG via samba
> Verzonden: dinsdag 9 maart 2021 14:13
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Group membership not updating on one DC only
> 
> Heyho,
> 
> we've done some more tests (debian buster and samba 4.13.4).
i use also 4.13.4 ( 4.13.5 is building currently ) 
> 
> Restricting SSH-access via the sshd_config to a certain group does not
> work. SSH tests group membership BEFORE winbind can update the groups.
> And if SSHd has denied you, winbind wont update the groups you're in.
> 
> 
> Scenario A: User get this group and tries to connect. SSHd tests the
> groups of the user, determines that the user is not part of the group
> and denys him (seen in auth.log). It still asks for your password but
> this wont do anything. You're not in the group -> denied forever.
> 
> Scenario B: User is in the group gets expelled. He tries to connect and
> SSHd allows it (because the user is in the group). After the successfull
> auth with PW winbind updates the group and the next SSH connection would
> fail.
> 
> Scenario C: User uses public-key auth. Winbind never updates the groups
> and the user can login forever (if he/she was in the group) or never (if
> he/she weren't).
> 
> 
> We got it working though!
> 
> 1. Disable Public-Key Auth for samba-users.
Where my customers doe use with public-keys for auth. ( and yes, these are samba
users.
> 
> 2. Remove AllowUsers & AllowGroups from the sshd_config
I only use AllowsGroups here, i have 2 groups, one linux group, for linux users
and a windows group which have the samba users.
> 
> 3. Edit /etc/pam.d/sshd : uncomment the line with pam_access.so and add
> [accessfile=/etc/security/pam_access_sshd.conf] to the line.
All i did is run : pam-auth-update
> 
> 4. Create /etc/security/pam_access_sshd.conf with this content:
> 
> 4.1. For every "allowed SSH group" add
"+:DOMAIN\my-ssh-group:ALL"
> 
> 4.2. Add "-:ALL:ALL" at the end to deny everyone else
> 
> 5. Test it.
> 
> 
> This way SSHd does not validate the groups and allows every valid user.
> Winbind updates the group membership and after that pam_access denies
> the user if its not in the right group.
> 
> PubKey-Auth still doesnt work though :/
> 
> 
> This should work for Debian and any other system with PAM. IDK if any
> other distro has a similar system with which you could achieve the same
> thing.
> 
> 
> Am 24.02.21 um 22:42 schrieb Rowland penny via samba:
> > On 24/02/2021 21:20, Christian via samba wrote:
> >>
> >>> Why do you need to know what groups a user is a member of ?
> >> Match group admin-group
> >> ? AllowUsers *
> >> Match group remotessh
> >> ? AllowUsers *
> >>
> >> in /etc/ssh/sshd_config comes to mind... Thanks,
> >
> >
> > That is a valid reason, well it would be except for the fact that
> > disabled users can still login via SSH.
> >
> > I wonder if you could use kerberos instead of keys along with the
> > groups ? Never tried it, just thinking out loud.
> >
> > Rowland
> 
> --
> Matthias K?hne
> Senior Webentwickler
> Datenschutzbeauftragter
> 
> Ellerhold Aktiengesellschaft
> Friedrich-List-Str. 4
> 01445 Radebeul
> 
> Telefon: +49 (0) 351 83933-61
> Telefax: +49 (0) 351 83933-99
> 
> Web     www.ellerhold.de
> Twitter www.twitter.com/Ellerhold_AG
> Youtube www.youtube.com/user/ellerholdgruppe
> 
> Amtsgericht Dresden / HRB 23769
> Vorstand: Stephan Ellerhold, Maximilian Ellerhold
> Vorsitzender des Aufsichtsrates: Frank Ellerhold
> 
> 
> 
> 
> 
> ----------------
> Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten
> Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung
> und um sofortiges l?schen dieser E-Mail und der Anlagen.
> 
> Unsere Hinweise zum Datenschutz finden Sie hier:
> http://www.ellerhold.de/datenschutz/
> 
> This e-mail and its attachments are privileged and confidential. If you
> are not the intended recipient, please notify us and immediately delete
> this e-mail and its attachments.
> 
> You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba