similar to: Winbind/Samba + sshd incorrect groups

Hi, Ive got winbind and samba working great (version 2.2.3) on our RH 7.1 box's. But as we have about 200 users on our domain, we want to restrict ssh access on our linux box's. So I created a group on the NT PDC called: Winbind In this group, Ive only put our developers and us, the sy admins. In the /etc/ssh/sshd_config, I entered the line: AllowGroups MMEBS+Winbind. Thus, allowing

While the Samba server is running, does it ever refresh the contents of the smb.conf file, or do you have to restart the server for it to see changes to the smb.conf file? Thanks in advance. Jeff Rasnick Software Technologies, Inc. www.softtechks.com -------------- next part -------------- HTML attachment scrubbed and removed

Hi, After extensively looking into puppet + augeas for managing the AllowGroups in sshd_config, I came to the conclusion that it won''t work as I expected :( So I''m sharing my thoughts here. The main objective is allowing multiple groups per-node, depending on what the security team wants. Since I want this to be dynamic, I created a define in a class: class ssh::server::config

Hey everyone, After discussing the AllowGroups I think I've discovered a bug. The system is a solaris 8 system and the problem is that when I use AllowGroups with no AllowUsers args, the proper actions happen. Same with AllowUsers and no AllowGroups. When I try to combine the two, none of the Allow directives seem to take. Is it just me or maybe a bug? -James

Markus, ignore the other stuff I sent.. I need to go back to bed and stop trying to code.. <sigh> For everone else.. Will this make everyone happy? This does the follow. it will always honor AllowUsers. If there is no Allow/DenyGroups it stated they are not in allowUsers. IF there are AllowDenyGroups it tries them. And then stated they are not in either AllowUsers nor AllowGroups

Hi! I'm experimenting with migrating the custom sshd_config settings for our (Debian bullseye, openssh-server 8.4) server environment into fragments under sshd_config.d/, and am wondering about sshd's behaviour when encountering multiple AllowGroup lines. The manual states "For each keyword, the first obtained value will be used.", so that gives me the impression that any

Hai, I have AllowGroups sshlinux, sshwindows Add at least 1 user in the linux group and at least 1 in the sshwindows group. Make sure the sshwindows group have a GID. And make sure the windows user loggin in in ssh als have a UID. AND for both, UID 1000+ ( which is in debian the default PAM setting ) . This is base on a "MEMBER" server. If you do : getent windowsuser You

Hi, with sssd i can do: $ ssh user at domain.tld@HOST1 $ id user at domain.tld $ ls -al /home/domain.tld/user drwx------ 5 user at domain.tld domain users at domain.tld 103 12. Jun 14:14 . $ grep AllowGroups /etc/ssh/sshd_config AllowGroups lokale_gruppe samba_gruppe at domain.tld When switching to winbind only $ id user at domain.tld is working any other command is using user\domain $ ls -al

While testing some AllowUsers and AllowGroups combinations I was surprised to find that one cannot be used to override the other. For example: AllowGroups administrators AllowUsers john If john is *not* part of the administrators group, then access is being denied. Is this the expected behaviour? This would force me to create another group just for ssh, something like ssh-admins. This other

On 16/06/2023 19:49, Stefan Kania via samba wrote: > Hi, > > with sssd i can do: > $ ssh user at domain.tld@HOST1 > $ id user at domain.tld > $ ls -al /home/domain.tld/user > drwx------ 5 user at domain.tld domain users at domain.tld? 103 12. Jun 14:14 . > $ grep AllowGroups /etc/ssh/sshd_config > AllowGroups lokale_gruppe samba_gruppe at domain.tld > > When

Subject: logcheck-database: Tweak to ssh rules to ignore AllowGroups denial Package: logcheck-database Version: 1.3.13 Severity: minor *** Please type your report below this line *** Similar to how AllowUsers denials are ignored, also ignore AllowGroups: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: User [-_.[:alnum:]]+ from [-_.[:alnum:]]+ not allowed because none of

I smacked into this previously reported bug today whereby an invalid keyword in the Match{} stanza did not throw an error on configuration reload. Are there any plans to fix this? Likewise the penchant for some fields to be comma separated and others to be spaces is just asking for mistakes. Why not support both and be done with it? There was no response (that I saw in the archives) to this post

http://bugzilla.mindrot.org/show_bug.cgi?id=999 Summary: AllowGroups ,DenyGroups failed to report hostname Product: Portable OpenSSH Version: 4.0p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org ReportedBy:

Hi all, let me describe my environment and problem. System is RHEL 5.6 with latest stable OpenSSH. In sshd_config is defined "AllowGroups sshusers" but I need limitation to some of users in group to have access only from defined IP address. As I know this can be setup in sshd_config only for AllowUsers, but users in group are changed so I must use allowgroups instead of allowusers.

https://bugzilla.mindrot.org/show_bug.cgi?id=1690 Summary: AllowUsers and DenyGroups directives are not parsed in the order specified Product: Portable OpenSSH Version: 5.3p1 Platform: ix86 OS/Version: Linux Status: NEW Keywords: patch Severity: trivial Priority: P2 Component:

Hey gang, I seem to be having a brain disconnect on how to get the Augeas type to manage things that have multiple values (i.e. an Augeas tree) via Puppet. If I run this in augtool: augtool> set /files/etc/ssh/sshd_config/AllowGroups/1000 sshuser augtool> save I see this in /etc/ssh/sshd_config: AllowGroups sshuser However, if I try this in an Augeas type: augeas {

Thank for your answer: But i dont know understand why is following not working: I want to restrict the ssh access for a special domain member: In my "sshd_config" i added: AllowGroups restrictaccess root With user2 im able to login via ssh! log: pam_krb5(sshd:auth): user user2 authenticated as user2 at ROOTRUDI.DE With user1 im not! log: User user1 from 192.168.0.100 not allowed

The "short" version on why multiple groups here. For all my member servers apply the following. This line : > > AllowGroups servers-ssh sshgroup There are 2, linux only Admin accounts, ( local accounts ) And, only if these are member of the "local group" sshgroup then your allowed to login. Only users that are allowed to login with ssh on these servers

Hi everyone, I have a SerNet-Samba 4.3.6-10 AD which works fine. Now I try to implement a fileserver. It is a server with a lot of (old)-users, which have an Unix-Account. On this server are also users who should can login from the Internet over ssh. But now I'm running in trouble with the security of my fileserver. When I would install samba 4.3.6 on it and activate sernet-samba-client

Hi, before we switched to SSSD we've been implementing the ssh authentication method via Domain using winbind+samba. Version installed on our machines is (still) 2:4.1.6+dfsg-1ubuntu2.14.04.13. So far everything has been working fine, however after we had to change a user's logon name in the domain he can't login anymore. auth.log shows still his old username followed by "from