Matthias Kühne | Ellerhold AG
2021-Mar-09 13:13 UTC
[Samba] Group membership not updating on one DC only
Heyho, we've done some more tests (debian buster and samba 4.13.4). Restricting SSH-access via the sshd_config to a certain group does not work. SSH tests group membership BEFORE winbind can update the groups. And if SSHd has denied you, winbind wont update the groups you're in. Scenario A: User get this group and tries to connect. SSHd tests the groups of the user, determines that the user is not part of the group and denys him (seen in auth.log). It still asks for your password but this wont do anything. You're not in the group -> denied forever. Scenario B: User is in the group gets expelled. He tries to connect and SSHd allows it (because the user is in the group). After the successfull auth with PW winbind updates the group and the next SSH connection would fail. Scenario C: User uses public-key auth. Winbind never updates the groups and the user can login forever (if he/she was in the group) or never (if he/she weren't). We got it working though! 1. Disable Public-Key Auth for samba-users. 2. Remove AllowUsers & AllowGroups from the sshd_config 3. Edit /etc/pam.d/sshd : uncomment the line with pam_access.so and add [accessfile=/etc/security/pam_access_sshd.conf] to the line. 4. Create /etc/security/pam_access_sshd.conf with this content: 4.1. For every "allowed SSH group" add "+:DOMAIN\my-ssh-group:ALL" 4.2. Add "-:ALL:ALL" at the end to deny everyone else 5. Test it. This way SSHd does not validate the groups and allows every valid user. Winbind updates the group membership and after that pam_access denies the user if its not in the right group. PubKey-Auth still doesnt work though :/ This should work for Debian and any other system with PAM. IDK if any other distro has a similar system with which you could achieve the same thing. Am 24.02.21 um 22:42 schrieb Rowland penny via samba:> On 24/02/2021 21:20, Christian via samba wrote: >> >>> Why do you need to know what groups a user is a member of ? >> Match group admin-group >> ? AllowUsers * >> Match group remotessh >> ? AllowUsers * >> >> in /etc/ssh/sshd_config comes to mind... Thanks, > > > That is a valid reason, well it would be except for the fact that > disabled users can still login via SSH. > > I wonder if you could use kerberos instead of keys along with the > groups ? Never tried it, just thinking out loud. > > Rowland-- Matthias K?hne Senior Webentwickler Datenschutzbeauftragter Ellerhold Aktiengesellschaft Friedrich-List-Str. 4 01445 Radebeul Telefon: +49 (0) 351 83933-61 Telefax: +49 (0) 351 83933-99 Web www.ellerhold.de Twitter www.twitter.com/Ellerhold_AG Youtube www.youtube.com/user/ellerholdgruppe Amtsgericht Dresden / HRB 23769 Vorstand: Stephan Ellerhold, Maximilian Ellerhold Vorsitzender des Aufsichtsrates: Frank Ellerhold ---------------- Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser E-Mail und der Anlagen. Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/ This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments. You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
Hi Matthias, thanks for posting this. It worked for me. Just one comment: Debian has account required pam_access.so in /etc/pam.d/sshd. Would it not make sense to change that to auth? required???? pam_access.so nodefgroup accessfile=/etc/security/pam_access_sshd.conf The difference being that the user who tries to login with the correct password but is denied access, because she is not in the correct group, will get the same result as if the password had been entered incorrectly or the account did not exist in the first place. Best wishes, Christian On 09.03.2021 14:13, Matthias K?hne | Ellerhold AG via samba wrote:> Heyho, > > we've done some more tests (debian buster and samba 4.13.4). > > Restricting SSH-access via the sshd_config to a certain group does not > work. SSH tests group membership BEFORE winbind can update the groups. > And if SSHd has denied you, winbind wont update the groups you're in. > > > Scenario A: User get this group and tries to connect. SSHd tests the > groups of the user, determines that the user is not part of the group > and denys him (seen in auth.log). It still asks for your password but > this wont do anything. You're not in the group -> denied forever. > > Scenario B: User is in the group gets expelled. He tries to connect and > SSHd allows it (because the user is in the group). After the successfull > auth with PW winbind updates the group and the next SSH connection would > fail. > > Scenario C: User uses public-key auth. Winbind never updates the groups > and the user can login forever (if he/she was in the group) or never (if > he/she weren't). > > > We got it working though! > > 1. Disable Public-Key Auth for samba-users. > > 2. Remove AllowUsers & AllowGroups from the sshd_config > > 3. Edit /etc/pam.d/sshd : uncomment the line with pam_access.so and add > [accessfile=/etc/security/pam_access_sshd.conf] to the line. > > 4. Create /etc/security/pam_access_sshd.conf with this content: > > 4.1. For every "allowed SSH group" add "+:DOMAIN\my-ssh-group:ALL" > > 4.2. Add "-:ALL:ALL" at the end to deny everyone else > > 5. Test it. > > > This way SSHd does not validate the groups and allows every valid user. > Winbind updates the group membership and after that pam_access denies > the user if its not in the right group. > > PubKey-Auth still doesnt work though :/ > > > This should work for Debian and any other system with PAM. IDK if any > other distro has a similar system with which you could achieve the same > thing. > > > Am 24.02.21 um 22:42 schrieb Rowland penny via samba: >> On 24/02/2021 21:20, Christian via samba wrote: >>>> Why do you need to know what groups a user is a member of ? >>> Match group admin-group >>> ? AllowUsers * >>> Match group remotessh >>> ? AllowUsers * >>> >>> in /etc/ssh/sshd_config comes to mind... Thanks, >> >> That is a valid reason, well it would be except for the fact that >> disabled users can still login via SSH. >> >> I wonder if you could use kerberos instead of keys along with the >> groups ? Never tried it, just thinking out loud. >> >> Rowland