From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 57536 invoked by alias); 1 Aug 2018 18:29:00 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 57526 invoked by uid 89); 1 Aug 2018 18:28:59 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy=HX-Google-DKIM-Signature:reply-to, stand X-HELO: mail-oi0-f51.google.com Received: from mail-oi0-f51.google.com (HELO mail-oi0-f51.google.com) (209.85.218.51) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 01 Aug 2018 18:28:58 +0000 Received: by mail-oi0-f51.google.com with SMTP id 13-v6so36397369ois.1 for ; Wed, 01 Aug 2018 11:28:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to; bh=QmF3x4+WkQuU/o4v9Wd0ECIrkqSDtGh9uZ4awvGFRQw=; b=q0u49ChieS494TAEFOpkZN9o+NFe+N3FGqziB4LEy6suGN1EdGcw2MlXx+zzJk7oTm xmFcpD0RnAyNZE37b02kFOj9w+rEJQsRgSruVhs/YGAGLiPGzt7hgpUF/wijGQMtRopm KdUT/0NoNYkCXkCFGG5QDfQ4HWlle0HnWbEKdJ78rjxJVfRWhtCkAeCpeJBZ8mjdngH4 TCx9bkp16T5LinNj3Iuczls5Nl4Hu0u3PfXRBh1KHFE97EcdDGFLfb3y7x/IFUOscVFj wXJBynKVSwySc/TR93Bm7jK6j0I6NIQGkpzCtbQ/5zAuniMIexUsH+jpbGz2KDK1Xlp7 xAJQ== MIME-Version: 1.0 Received: by 2002:a4a:c712:0:0:0:0:0 with HTTP; Wed, 1 Aug 2018 11:28:56 -0700 (PDT) Reply-To: noloader@gmail.com In-Reply-To: References: From: Jeffrey Walton Date: Wed, 01 Aug 2018 18:29:00 -0000 Message-ID: Subject: Re: AllowGroups in SSHD not working for domain accounts To: cygwin@cygwin.com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes X-SW-Source: 2018-08/txt/msg00007.txt.bz2 On Wed, Aug 1, 2018 at 2:21 PM, Michal Zindulka wrote: > Hi Cygwin team, > > I'm trying to setup SSHD with 'AllowGroups' option, but I've encountered > following troubles. > > When I setup the 'AllowGroups SSHGROUP' option in 'sshd_config' file, then > a local users who are members of 'SSHGROUP' are able to login without any > issue. When I do the same for domain user, who is also member of local > group 'SSHGROUP', the login will fail with following error in the log: > > 'User SSHUSER from not allowed because non of user's groups are listed > in AllowGroups. > > When I try to list all users for my domain user using 'groups' command, it > show only domain groups where the user belong + primary groups which is set > in 'passwd' file. > > I was able to make it work, using a workaround, by set a local 'SSHGROUP' > as a primary group in 'passwd' file for my domain user. Then this groups is > was also displayed using 'groups' command and user was able to login, but > it's not a suitable solution for me. > > I've tried also to assign my domain user to 'SSHGROUP' in 'group' file, but > didn't help. Not sure if it is related, but... On Windows domains you are supposed to follow the UGLY model. The letters of UGLY stand for: Users into Global groups Global into domain Local groups You assign permissions SSHGROUP should be a local group with members from the domain and global groups. Of course, scratch this if the machinery is doing something different. Jeff -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple