X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:content-type; q=dns; s=default; b= Sf1wqPMIqwh4JmAc4Q4g9s9ysEN1O25DU8kCmYAeDavB58cZl6zNmDvTpPhtarFk uNJ8MnOh6GPmXC86z3eT2VlsrvVtEsjFeh9qxRk8a24+tMNzIxtN59ZteWON1Umt A6EpgvV3OnrzGpVufCEZA5JllZPPi9vCqxpSkkKu4g0= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:content-type; s=default; bh=oLW 9R6k72GfNtIurO2Ghg8IHlIQ=; b=AH1wE7nfKTL7TUTw2W6ei9sxRc31rc2duYQ YAHSUYCPyodd+uk9mI74oxZvLcsVSW9eSbN1Su7qlHsYJGqLxtfVMghdRhz8GkNL kOwRwhXTycrFjDcdTMqBWo1gKK/yg5BUGhgeC8Rg1bCzPWSbkEaatRENzSplcdcr 7ftAr9/w= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy=HX-Google-DKIM-Signature:reply-to, stand X-HELO: mail-oi0-f51.google.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to; bh=QmF3x4+WkQuU/o4v9Wd0ECIrkqSDtGh9uZ4awvGFRQw=; b=q0u49ChieS494TAEFOpkZN9o+NFe+N3FGqziB4LEy6suGN1EdGcw2MlXx+zzJk7oTm xmFcpD0RnAyNZE37b02kFOj9w+rEJQsRgSruVhs/YGAGLiPGzt7hgpUF/wijGQMtRopm KdUT/0NoNYkCXkCFGG5QDfQ4HWlle0HnWbEKdJ78rjxJVfRWhtCkAeCpeJBZ8mjdngH4 TCx9bkp16T5LinNj3Iuczls5Nl4Hu0u3PfXRBh1KHFE97EcdDGFLfb3y7x/IFUOscVFj wXJBynKVSwySc/TR93Bm7jK6j0I6NIQGkpzCtbQ/5zAuniMIexUsH+jpbGz2KDK1Xlp7 xAJQ== MIME-Version: 1.0 Reply-To: noloader AT gmail DOT com In-Reply-To: References: From: Jeffrey Walton Date: Wed, 1 Aug 2018 14:28:56 -0400 Message-ID: Subject: Re: AllowGroups in SSHD not working for domain accounts To: cygwin AT cygwin DOT com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes On Wed, Aug 1, 2018 at 2:21 PM, Michal Zindulka wrote: > Hi Cygwin team, > > I'm trying to setup SSHD with 'AllowGroups' option, but I've encountered > following troubles. > > When I setup the 'AllowGroups SSHGROUP' option in 'sshd_config' file, then > a local users who are members of 'SSHGROUP' are able to login without any > issue. When I do the same for domain user, who is also member of local > group 'SSHGROUP', the login will fail with following error in the log: > > 'User SSHUSER from not allowed because non of user's groups are listed > in AllowGroups. > > When I try to list all users for my domain user using 'groups' command, it > show only domain groups where the user belong + primary groups which is set > in 'passwd' file. > > I was able to make it work, using a workaround, by set a local 'SSHGROUP' > as a primary group in 'passwd' file for my domain user. Then this groups is > was also displayed using 'groups' command and user was able to login, but > it's not a suitable solution for me. > > I've tried also to assign my domain user to 'SSHGROUP' in 'group' file, but > didn't help. Not sure if it is related, but... On Windows domains you are supposed to follow the UGLY model. The letters of UGLY stand for: Users into Global groups Global into domain Local groups You assign permissions SSHGROUP should be a local group with members from the domain and global groups. Of course, scratch this if the machinery is doing something different. Jeff -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple