This is the mail archive of the
mailing list for the Cygwin project.
Re: LDAP integration and sshd
- From: Achim Gratz <Stromeko at nexgo dot de>
- To: cygwin at cygwin dot com
- Date: Thu, 26 Jun 2014 19:03:07 +0200
- Subject: Re: LDAP integration and sshd
- Authentication-results: sourceware.org; auth=none
- References: <loom dot 20140625T141552-513 at post dot gmane dot org> <20140625130727 dot GQ1803 at calimero dot vinschen dot de> <loom dot 20140626T093103-970 at post dot gmane dot org> <20140626083253 dot GA25654 at calimero dot vinschen dot de> <loom dot 20140626T112515-399 at post dot gmane dot org> <20140626105045 dot GU1803 at calimero dot vinschen dot de>
Corinna Vinschen writes:
>> Hmm. Doesn't appear to be working in any combination I tried, I'm always
>> getting an "invalid user" when I'm trying to do that. Is it possible that
>> the AD lookup doesn't work when using privilege separation?
> No idea. Did you try? You didn't use '@' as separator, by any chance?
No, I didn't change any settings from the default (apart from the lone
sshd entry in /etc/passwd to make the local account visible to the
sshd). The sshd runs under the sshd local account.
So, I've tried to let certain users in only if they match a name pattern
(the pattern match is verified to work and shows up in the log) and are
in group +Administrators as resloves with getent, as soon as I specify
anything other than "*" in the AllowGroup config, these users are not
allowed to log in. I've tried "Administrators", "+Administrators" and
even "primaryDOM+Administrators". The same happens for another list of
users and a non-administrative group from the primary domain that
basically all users are a member of; no changes in behaviour when I
chose a domain group that I know has only a handful of users including
the test account.
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
Wavetables for the Terratec KOMPLEXER:
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple