X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:subject:references:date:in-reply-to :message-id:mime-version:content-type; q=dns; s=default; b=wu/g+ RzeG1Sj6gX89lWoUlFojtyNZ//uOnpRsvA2/EGDk+jiU2mY7D2lMYWTMODH0h18k KdbUQUd7NFb1I9pQB860MREYqlDil8v3U9CjSTmBkCWI7gv1f+ZqlRvV1HfgNsaT ydiRFdiEIBx9eJJ2fpcv7FHlb15VFimElucJDg= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:subject:references:date:in-reply-to :message-id:mime-version:content-type; s=default; bh=NvOED2CKu9R crg8Au7SDeqd0ZkE=; b=EKNmlwbPI5g0tURjgHk2ZCfp661nkLrkH1Rb7rYf6WC XmcAMZ8PGSRGlgMgVBXtrSN2qignHXlTCjuMTC5HK5yUM88/VTb57/M+OWmNh5qC Oj5d0VzZT0trv0B6/gjTY+UuPr5KzioIwnqNOzq7pPFbALtjMWQrgFBr6MQSZkhM = Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-6.0 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 X-HELO: mail-in-12.arcor-online.net X-DKIM: Sendmail DKIM Filter v2.8.2 mail-in-01.arcor-online.net 7889F5AAEE From: Achim Gratz To: cygwin AT cygwin DOT com Subject: Re: LDAP integration and sshd References: <20140625130727 DOT GQ1803 AT calimero DOT vinschen DOT de> <20140626083253 DOT GA25654 AT calimero DOT vinschen DOT de> <20140626105045 DOT GU1803 AT calimero DOT vinschen DOT de> <87pphva9is DOT fsf AT Rainer DOT invalid> <20140627081702 DOT GV1803 AT calimero DOT vinschen DOT de> Date: Fri, 27 Jun 2014 21:08:32 +0200 In-Reply-To: <20140627081702.GV1803@calimero.vinschen.de> (Corinna Vinschen's message of "Fri, 27 Jun 2014 10:17:02 +0200") Message-ID: <87fviqnpan.fsf@Rainer.invalid> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3.91 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Corinna Vinschen writes: > The Admin group is a BUILTIN group, so it's always +Administrators > under the default prefixing rule, as outlined in my preliminary > documentation. Yeah, I was just trying the other variants out of desperation. > And it works fine for me with the latest from CVS (== latest snapshot), > I just tested it. I'm using the latest snapshot, although the behaviour is the same with the previous one. > If I add > > AllowGroups +Administrators > > I can still login with my admin account and get a refusal when logging > in with a non-admin account. > > In contrast, If I add > > DenyGroups +Administrators > > it's the opposite. Yes, that's exactly what isn't working. Even in debug mode the messages from sshd are not very enlightening, but through experimentation I found that the only thing that works is +Authenticated* (for Authenticated Users, obviously). I don't know what's going on, but it seems that when the user credentials are resolved by sshd, the domain accounts are completely inaccessible. Switching off privilege separation doesn't seem to make a difference. > Are you, by any chance, using a non-English OS version? You know that > the administrators group has a localized name, right? In german, for > instance, it's called Administratoren. Not that I know of (I didn't install it), it reports as a bog standard 2012R2 server and all local display is in english. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Samples for the Waldorf Blofeld: http://Synth.Stromeko.net/Downloads.html#BlofeldSamplesExtra -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple