AllowGroups in SSHD not working for domain accounts
Jeffrey Walton
noloader@gmail.com
Wed Aug 1 18:29:00 GMT 2018
On Wed, Aug 1, 2018 at 2:21 PM, Michal Zindulka
<michal.zindulka@gmail.com> wrote:
> Hi Cygwin team,
>
> I'm trying to setup SSHD with 'AllowGroups' option, but I've encountered
> following troubles.
>
> When I setup the 'AllowGroups SSHGROUP' option in 'sshd_config' file, then
> a local users who are members of 'SSHGROUP' are able to login without any
> issue. When I do the same for domain user, who is also member of local
> group 'SSHGROUP', the login will fail with following error in the log:
>
> 'User SSHUSER from <IP> not allowed because non of user's groups are listed
> in AllowGroups.
>
> When I try to list all users for my domain user using 'groups' command, it
> show only domain groups where the user belong + primary groups which is set
> in 'passwd' file.
>
> I was able to make it work, using a workaround, by set a local 'SSHGROUP'
> as a primary group in 'passwd' file for my domain user. Then this groups is
> was also displayed using 'groups' command and user was able to login, but
> it's not a suitable solution for me.
>
> I've tried also to assign my domain user to 'SSHGROUP' in 'group' file, but
> didn't help.
Not sure if it is related, but...
On Windows domains you are supposed to follow the UGLY model. The
letters of UGLY stand for:
Users into Global groups
Global into domain Local groups
You assign permissions
SSHGROUP should be a local group with members from the domain and global groups.
Of course, scratch this if the machinery is doing something different.
Jeff
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
More information about the Cygwin
mailing list