Local groups mapped to AD users via groups.conf working - but only with ssh login Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Come Celebrate our 10 Year Anniversary!What is the equivalent of /etc/pam.d/system-auth on Ubuntu 18Linux authentication via ADS — allowing only specific groups in PAMSamba/Winbind: adding domain users to local groups based on domain groupLinux PAM pam_succeed_if.soLimiting login via access.conf not workingLDAP Not working for SSH connections on ubuntu 12.04login with active directory users on debian jessy not workingGroupmapping does not work for AD groupsHow to configure pam to only mount with winbind authentificationAuthenticated with SSSD (LDAP) but use /etc/passwd after loginIssues with PAM and CRON
When a candle burns, why does the top of wick glow if bottom of flame is hottest?
Extracting terms with certain heads in a function
If a VARCHAR(MAX) column is included in an index, is the entire value always stored in the index page(s)?
Do square wave exist?
When was Kai Tak permanently closed to cargo service?
Do I really need recursive chmod to restrict access to a folder?
How would a mousetrap for use in space work?
Trademark violation for app?
Why are there no cargo aircraft with "flying wing" design?
Using et al. for a last / senior author rather than for a first author
How to answer "Have you ever been terminated?"
What font is "z" in "z-score"?
Can you use the Shield Master feat to shove someone before you make an attack by using a Readied action?
Dating a Former Employee
Is grep documentation wrong?
How to find all the available tools in mac terminal?
Using audio cues to encourage good posture
Why aren't air breathing engines used as small first stages
Compare a given version number in the form major.minor.build.patch and see if one is less than the other
Fundamental Solution of the Pell Equation
Is this homebrew Lady of Pain warlock patron balanced?
What would be the ideal power source for a cybernetic eye?
How do pianists reach extremely loud dynamics?
Can a new player join a group only when a new campaign starts?
Local groups mapped to AD users via groups.conf working - but only with ssh login
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Come Celebrate our 10 Year Anniversary!What is the equivalent of /etc/pam.d/system-auth on Ubuntu 18Linux authentication via ADS — allowing only specific groups in PAMSamba/Winbind: adding domain users to local groups based on domain groupLinux PAM pam_succeed_if.soLimiting login via access.conf not workingLDAP Not working for SSH connections on ubuntu 12.04login with active directory users on debian jessy not workingGroupmapping does not work for AD groupsHow to configure pam to only mount with winbind authentificationAuthenticated with SSSD (LDAP) but use /etc/passwd after loginIssues with PAM and CRON
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I'm running a Samba Active Directory domain with Ubuntu 18.04 clients.
I used the /etc/security/group.conf file to successfully create a mapping for domain users to the "dialout" group. I tested it on a number of machines, and it worked fine...
rightmire@testpc:~$ groups
domain users dialout master BUILTIN+users rightmire
However, today for no apparent reason - it is no longer mapping the dialout group...
rightmire@testpc:~$ groups
domain users master BUILTIN+users rightmire
Re-running pam-auth-update does seem to see the groups.conf...
I'm not sure how to begin troubleshooting this. Searching for group.conf or pam-auth-update in the logs comes up with nothing. I'm not seeing anything pertinent in syslog or auth.log
===
FILES:
root@testpc:~# cat /etc/security/group.conf | sed '/^#/d'
*;*;*;Al0000-2400;dialout
root@testpc:~# cat /usr/share/pam-configs/my_groups
Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
required pam_group.so use_first_pass
root@testpc:~# DEBIAN_FRONTEND=noninteractive pam-auth-update
root@testpc:~#
(I.e. no error...)
UPDATE:
It seems that the problem only appears with su - user or local login (even though the local login is via the domain).
I.e. If I login via ssh as the user, the dialout group appears fine...
rightmire@localPC:~$ ssh rightmire@remotePC
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-46-generic x86_64)
(...snip...)
68 packages can be updated.
43 updates are security updates.
rightmire@remotePC:~$ groups
domain users dialout master BUILTIN+users
rightmire@remotePC:~$
But if I su - rightmire, it does not appear...
root@remotePC:~# su - rightmire
rightmire@remotePC:~$ groups
domain users master BUILTIN+users domain admins denied rodc password replication group staff konstrukteure vicongroup h2t rightmire
rightmire@remotePC:~$
UPDATE
I have looked in the /etc/pam.d. The two files which contain a reference to pam_group.so are common-auth and login
./common-auth:auth required pam_group.so use_first_pass
./login:auth optional pam_group.so
However, the majority of the (login pertinent) files (including su and sudo which DON'T set the group, as well as sshd which DOES set the groups) include common-auth ...
./chfn:@include common-auth
./chsh:@include common-auth
./cron:@include common-auth
./cups:@include common-auth
./gdm-password:@include common-auth
./lightdm:@include common-auth
./login:@include common-auth
./other:@include common-auth
./polkit-1:@include common-auth
./samba:@include common-auth
./slock:@include common-auth
./sshd:@include common-auth
./su:@include common-auth
./sudo:@include common-auth
active-directory samba pam groups ubuntu-18.04
asked Apr 12 at 7:32
BurningKromeBurningKrome
176111
add a comment |
I'm running a Samba Active Directory domain with Ubuntu 18.04 clients.
I used the /etc/security/group.conf file to successfully create a mapping for domain users to the "dialout" group. I tested it on a number of machines, and it worked fine...
rightmire@testpc:~$ groups
domain users dialout master BUILTIN+users rightmire
However, today for no apparent reason - it is no longer mapping the dialout group...
rightmire@testpc:~$ groups
domain users master BUILTIN+users rightmire
Re-running pam-auth-update does seem to see the groups.conf...
I'm not sure how to begin troubleshooting this. Searching for group.conf or pam-auth-update in the logs comes up with nothing. I'm not seeing anything pertinent in syslog or auth.log
===
FILES:
root@testpc:~# cat /etc/security/group.conf | sed '/^#/d'
*;*;*;Al0000-2400;dialout
root@testpc:~# cat /usr/share/pam-configs/my_groups
Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
required pam_group.so use_first_pass
root@testpc:~# DEBIAN_FRONTEND=noninteractive pam-auth-update
root@testpc:~#
(I.e. no error...)
UPDATE:
It seems that the problem only appears with su - user or local login (even though the local login is via the domain).
I.e. If I login via ssh as the user, the dialout group appears fine...
rightmire@localPC:~$ ssh rightmire@remotePC
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-46-generic x86_64)
(...snip...)
68 packages can be updated.
43 updates are security updates.
rightmire@remotePC:~$ groups
domain users dialout master BUILTIN+users
rightmire@remotePC:~$
But if I su - rightmire, it does not appear...
root@remotePC:~# su - rightmire
rightmire@remotePC:~$ groups
domain users master BUILTIN+users domain admins denied rodc password replication group staff konstrukteure vicongroup h2t rightmire
rightmire@remotePC:~$
UPDATE
I have looked in the /etc/pam.d. The two files which contain a reference to pam_group.so are common-auth and login
./common-auth:auth required pam_group.so use_first_pass
./login:auth optional pam_group.so
However, the majority of the (login pertinent) files (including su and sudo which DON'T set the group, as well as sshd which DOES set the groups) include common-auth ...
./chfn:@include common-auth
./chsh:@include common-auth
./cron:@include common-auth
./cups:@include common-auth
./gdm-password:@include common-auth
./lightdm:@include common-auth
./login:@include common-auth
./other:@include common-auth
./polkit-1:@include common-auth
./samba:@include common-auth
./slock:@include common-auth
./sshd:@include common-auth
./su:@include common-auth
./sudo:@include common-auth
active-directory samba pam groups ubuntu-18.04
asked Apr 12 at 7:32
BurningKromeBurningKrome
176111
add a comment |
I'm running a Samba Active Directory domain with Ubuntu 18.04 clients.
I used the /etc/security/group.conf file to successfully create a mapping for domain users to the "dialout" group. I tested it on a number of machines, and it worked fine...
rightmire@testpc:~$ groups
domain users dialout master BUILTIN+users rightmire
However, today for no apparent reason - it is no longer mapping the dialout group...
rightmire@testpc:~$ groups
domain users master BUILTIN+users rightmire
Re-running pam-auth-update does seem to see the groups.conf...
I'm not sure how to begin troubleshooting this. Searching for group.conf or pam-auth-update in the logs comes up with nothing. I'm not seeing anything pertinent in syslog or auth.log
===
FILES:
root@testpc:~# cat /etc/security/group.conf | sed '/^#/d'
*;*;*;Al0000-2400;dialout
root@testpc:~# cat /usr/share/pam-configs/my_groups
Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
required pam_group.so use_first_pass
root@testpc:~# DEBIAN_FRONTEND=noninteractive pam-auth-update
root@testpc:~#
(I.e. no error...)
UPDATE:
It seems that the problem only appears with su - user or local login (even though the local login is via the domain).
I.e. If I login via ssh as the user, the dialout group appears fine...
rightmire@localPC:~$ ssh rightmire@remotePC
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-46-generic x86_64)
(...snip...)
68 packages can be updated.
43 updates are security updates.
rightmire@remotePC:~$ groups
domain users dialout master BUILTIN+users
rightmire@remotePC:~$
But if I su - rightmire, it does not appear...
root@remotePC:~# su - rightmire
rightmire@remotePC:~$ groups
domain users master BUILTIN+users domain admins denied rodc password replication group staff konstrukteure vicongroup h2t rightmire
rightmire@remotePC:~$
UPDATE
I have looked in the /etc/pam.d. The two files which contain a reference to pam_group.so are common-auth and login
./common-auth:auth required pam_group.so use_first_pass
./login:auth optional pam_group.so
However, the majority of the (login pertinent) files (including su and sudo which DON'T set the group, as well as sshd which DOES set the groups) include common-auth ...
./chfn:@include common-auth
./chsh:@include common-auth
./cron:@include common-auth
./cups:@include common-auth
./gdm-password:@include common-auth
./lightdm:@include common-auth
./login:@include common-auth
./other:@include common-auth
./polkit-1:@include common-auth
./samba:@include common-auth
./slock:@include common-auth
./sshd:@include common-auth
./su:@include common-auth
./sudo:@include common-auth
active-directory samba pam groups ubuntu-18.04
asked Apr 12 at 7:32
BurningKromeBurningKrome
176111
I'm running a Samba Active Directory domain with Ubuntu 18.04 clients.
I used the /etc/security/group.conf file to successfully create a mapping for domain users to the "dialout" group. I tested it on a number of machines, and it worked fine...
rightmire@testpc:~$ groups
domain users dialout master BUILTIN+users rightmire
However, today for no apparent reason - it is no longer mapping the dialout group...
rightmire@testpc:~$ groups
domain users master BUILTIN+users rightmire
Re-running pam-auth-update does seem to see the groups.conf...
I'm not sure how to begin troubleshooting this. Searching for group.conf or pam-auth-update in the logs comes up with nothing. I'm not seeing anything pertinent in syslog or auth.log
===
FILES:
root@testpc:~# cat /etc/security/group.conf | sed '/^#/d'
*;*;*;Al0000-2400;dialout
root@testpc:~# cat /usr/share/pam-configs/my_groups
Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
required pam_group.so use_first_pass
root@testpc:~# DEBIAN_FRONTEND=noninteractive pam-auth-update
root@testpc:~#
(I.e. no error...)
UPDATE:
It seems that the problem only appears with su - user or local login (even though the local login is via the domain).
I.e. If I login via ssh as the user, the dialout group appears fine...
rightmire@localPC:~$ ssh rightmire@remotePC
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-46-generic x86_64)
(...snip...)
68 packages can be updated.
43 updates are security updates.
rightmire@remotePC:~$ groups
domain users dialout master BUILTIN+users
rightmire@remotePC:~$
But if I su - rightmire, it does not appear...
root@remotePC:~# su - rightmire
rightmire@remotePC:~$ groups
domain users master BUILTIN+users domain admins denied rodc password replication group staff konstrukteure vicongroup h2t rightmire
rightmire@remotePC:~$
UPDATE
I have looked in the /etc/pam.d. The two files which contain a reference to pam_group.so are common-auth and login
./common-auth:auth required pam_group.so use_first_pass
./login:auth optional pam_group.so
However, the majority of the (login pertinent) files (including su and sudo which DON'T set the group, as well as sshd which DOES set the groups) include common-auth ...
./chfn:@include common-auth
./chsh:@include common-auth
./cron:@include common-auth
./cups:@include common-auth
./gdm-password:@include common-auth
./lightdm:@include common-auth
./login:@include common-auth
./other:@include common-auth
./polkit-1:@include common-auth
./samba:@include common-auth
./slock:@include common-auth
./sshd:@include common-auth
./su:@include common-auth
./sudo:@include common-auth
active-directory samba pam groups ubuntu-18.04
active-directory samba pam groups ubuntu-18.04
asked Apr 12 at 7:32
BurningKromeBurningKrome
176111
asked Apr 12 at 7:32
BurningKromeBurningKrome
176111
edited yesterday
BurningKrome
asked Apr 12 at 7:32
BurningKromeBurningKrome
176111
asked Apr 12 at 7:32
BurningKromeBurningKrome
176111
asked Apr 12 at 7:32
BurningKromeBurningKrome
176111
176111
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962739%2flocal-groups-mapped-to-ad-users-via-groups-conf-working-but-only-with-ssh-logi%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962739%2flocal-groups-mapped-to-ad-users-via-groups-conf-working-but-only-with-ssh-logi%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
