AllowGroups in SSHD not working for domain accounts

AllowGroups in SSHD not working for domain accounts

[Michal Zindulka]

Hi Cygwin team,

I'm trying to setup SSHD with 'AllowGroups' option, but I've encountered
following troubles.

When I setup the 'AllowGroups SSHGROUP' option in 'sshd_config' file, then
a local users who are members of 'SSHGROUP' are able to login without any
issue. When I do the same for domain user, who is also member of local
group 'SSHGROUP', the login will fail with following error in the log:

'User SSHUSER from <IP> not allowed because non of user's groups are listed
in AllowGroups.

When I try to list all users for my domain user using 'groups' command, it
show only domain groups where the user belong + primary groups which is set
in 'passwd' file.

I was able to make it work, using a workaround, by set a local 'SSHGROUP'
as a primary group in 'passwd' file for my domain user. Then this groups is
was also displayed using 'groups' command and user was able to login, but
it's not a suitable solution for me.

I've tried also to assign my domain user to 'SSHGROUP' in 'group' file, but
didn't help.

I'm running Windows Server 2012 R2 with Cygwin 2.10.0. SSHD service is
running under a local user. Tried as well to run a service under a domain
user, but it didn't help as well.

Is Cygwin capable such a solution and I'm doing something wrong, or the not
listing local groups for domain users is a default behaviour?

Thanks in advance.

-- 
Best regards,

*Zindulka Michal*

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: AllowGroups in SSHD not working for domain accounts

[Jeffrey Walton]

On Wed, Aug 1, 2018 at 2:21 PM, Michal Zindulka
<michal.zindulka@gmail.com> wrote:
> Hi Cygwin team,
>
> I'm trying to setup SSHD with 'AllowGroups' option, but I've encountered
> following troubles.
>
> When I setup the 'AllowGroups SSHGROUP' option in 'sshd_config' file, then
> a local users who are members of 'SSHGROUP' are able to login without any
> issue. When I do the same for domain user, who is also member of local
> group 'SSHGROUP', the login will fail with following error in the log:
>
> 'User SSHUSER from <IP> not allowed because non of user's groups are listed
> in AllowGroups.
>
> When I try to list all users for my domain user using 'groups' command, it
> show only domain groups where the user belong + primary groups which is set
> in 'passwd' file.
>
> I was able to make it work, using a workaround, by set a local 'SSHGROUP'
> as a primary group in 'passwd' file for my domain user. Then this groups is
> was also displayed using 'groups' command and user was able to login, but
> it's not a suitable solution for me.
>
> I've tried also to assign my domain user to 'SSHGROUP' in 'group' file, but
> didn't help.

Not sure if it is related, but...

On Windows domains you are supposed to follow the UGLY model. The
letters of UGLY stand for:

   Users into Global groups
   Global into domain Local groups
   You assign permissions

SSHGROUP should be a local group with members from the domain and global groups.

Of course, scratch this if the machinery is doing something different.

Jeff

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple