This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: AllowGroups in SSHD not working for domain accounts
- From: Jeffrey Walton <noloader at gmail dot com>
- To: cygwin at cygwin dot com
- Date: Wed, 1 Aug 2018 14:28:56 -0400
- Subject: Re: AllowGroups in SSHD not working for domain accounts
- References: <CAKxHmYnTs0O=Hw7ABVcmE1N6TieX04+U4rTM9wtkO3g-0_UXhw@mail.gmail.com>
- Reply-to: noloader at gmail dot com
On Wed, Aug 1, 2018 at 2:21 PM, Michal Zindulka
<michal.zindulka@gmail.com> wrote:
> Hi Cygwin team,
>
> I'm trying to setup SSHD with 'AllowGroups' option, but I've encountered
> following troubles.
>
> When I setup the 'AllowGroups SSHGROUP' option in 'sshd_config' file, then
> a local users who are members of 'SSHGROUP' are able to login without any
> issue. When I do the same for domain user, who is also member of local
> group 'SSHGROUP', the login will fail with following error in the log:
>
> 'User SSHUSER from <IP> not allowed because non of user's groups are listed
> in AllowGroups.
>
> When I try to list all users for my domain user using 'groups' command, it
> show only domain groups where the user belong + primary groups which is set
> in 'passwd' file.
>
> I was able to make it work, using a workaround, by set a local 'SSHGROUP'
> as a primary group in 'passwd' file for my domain user. Then this groups is
> was also displayed using 'groups' command and user was able to login, but
> it's not a suitable solution for me.
>
> I've tried also to assign my domain user to 'SSHGROUP' in 'group' file, but
> didn't help.
Not sure if it is related, but...
On Windows domains you are supposed to follow the UGLY model. The
letters of UGLY stand for:
Users into Global groups
Global into domain Local groups
You assign permissions
SSHGROUP should be a local group with members from the domain and global groups.
Of course, scratch this if the machinery is doing something different.
Jeff
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple