Re: AllowGroups in SSHD not working for domain accounts

[Jeffrey Walton <noloader at gmail dot com>]

On Wed, Aug 1, 2018 at 2:21 PM, Michal Zindulka
<michal.zindulka@gmail.com> wrote:
> Hi Cygwin team,
>
> I'm trying to setup SSHD with 'AllowGroups' option, but I've encountered
> following troubles.
>
> When I setup the 'AllowGroups SSHGROUP' option in 'sshd_config' file, then
> a local users who are members of 'SSHGROUP' are able to login without any
> issue. When I do the same for domain user, who is also member of local
> group 'SSHGROUP', the login will fail with following error in the log:
>
> 'User SSHUSER from <IP> not allowed because non of user's groups are listed
> in AllowGroups.
>
> When I try to list all users for my domain user using 'groups' command, it
> show only domain groups where the user belong + primary groups which is set
> in 'passwd' file.
>
> I was able to make it work, using a workaround, by set a local 'SSHGROUP'
> as a primary group in 'passwd' file for my domain user. Then this groups is
> was also displayed using 'groups' command and user was able to login, but
> it's not a suitable solution for me.
>
> I've tried also to assign my domain user to 'SSHGROUP' in 'group' file, but
> didn't help.

Not sure if it is related, but...

On Windows domains you are supposed to follow the UGLY model. The
letters of UGLY stand for:

   Users into Global groups
   Global into domain Local groups
   You assign permissions

SSHGROUP should be a local group with members from the domain and global groups.

Of course, scratch this if the machinery is doing something different.

Jeff

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple