X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:from:date:message-id:subject:to
	:content-type; q=dns; s=default; b=KRlc96vVP/UiOELDCsILAJ6hZj4jr
	boM1iqmGU36tHN9PiGrQACggumd50egT25xi1MxHod7FH0qu6SSZBADGLWSm5DFR
	HZirpUKH3meoLwQgvEcEfGb3z6XnnyU0NQSYmOV5v5Sn7rKAh97+uKuMi/iq55Da
	Zv4Zk9ZWBbNKi4=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:from:date:message-id:subject:to
	:content-type; s=default; bh=YlU7uQusgJvDSOdWFzxavvvRJWI=; b=SOP
	UmN1zLochcw8kELvltvq4C55lBvlUE/I34Df6P3xsIzWFwder1SjDe026Mracl4B
	gj/YtbcSSoxTnWhkcSaBx+p1NoB2jV/7r9yjIaMNgxcTsadkPnF3q+dgop5TvXE0
	d72CAby2b99FYiWA7YbWtmjozx5Woon3B11BJS34=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Spam-SWARE-Status:	No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy=troubles, displayed, 2012, H*c:alternative
X-HELO:	mail-it0-f52.google.com
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Vt84BRPbEqidLCgaUO/EBnjeN52WWz01HoDPNNP4umY=; b=H4r56KctCpWVFD8Ej51hm6x6GqcvVeWJmeHMkoAAbEbzfBnDynmehsWH2qKDN8mQkX liZTpuUaCj5blUpw6zXrsLx4+fWs2rBDAlqQrZfV7oEaPbO5aH5B9SdfDm0S8VVULPa1 pn8XHYSgJjp6pSh6KpBo7wK/HL3dJI6Qy2o/urd2w7hhGHJ6LnLzjYR90qLOxSJ2eccv bnWWDZTCvx+7f+Ys412KIOPipEvLl3cGkT2jhWYRl5JmuC8CCbZBvpOP4wCBhNEKSiZj 47tjdAEk3IRMfXr7JPf/UqSL1rDJ9GCZEbXNypcXR9IPaOVJ0WVoHakdQFl3mNlSCcT7 Bk/g==
MIME-Version:	1.0
From:	Michal Zindulka <michal DOT zindulka AT gmail DOT com>
Date:	Wed, 1 Aug 2018 20:21:51 +0200
Message-ID:	<CAKxHmYnTs0O=Hw7ABVcmE1N6TieX04+U4rTM9wtkO3g-0_UXhw@mail.gmail.com>
Subject:	AllowGroups in SSHD not working for domain accounts
To:	cygwin AT cygwin DOT com

Hi Cygwin team,

I'm trying to setup SSHD with 'AllowGroups' option, but I've encountered
following troubles.

When I setup the 'AllowGroups SSHGROUP' option in 'sshd_config' file, then
a local users who are members of 'SSHGROUP' are able to login without any
issue. When I do the same for domain user, who is also member of local
group 'SSHGROUP', the login will fail with following error in the log:

'User SSHUSER from <IP> not allowed because non of user's groups are listed
in AllowGroups.

When I try to list all users for my domain user using 'groups' command, it
show only domain groups where the user belong + primary groups which is set
in 'passwd' file.

I was able to make it work, using a workaround, by set a local 'SSHGROUP'
as a primary group in 'passwd' file for my domain user. Then this groups is
was also displayed using 'groups' command and user was able to login, but
it's not a suitable solution for me.

I've tried also to assign my domain user to 'SSHGROUP' in 'group' file, but
didn't help.

I'm running Windows Server 2012 R2 with Cygwin 2.10.0. SSHD service is
running under a local user. Tried as well to run a service under a domain
user, but it didn't help as well.

Is Cygwin capable such a solution and I'm doing something wrong, or the not
listing local groups for domain users is a default behaviour?

Thanks in advance.

-- 
Best regards,

*Zindulka Michal*

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -