View Issue Details

IDProjectCategoryView StatusLast Update
0016350CentOS-6sambapublic2019-09-06 09:05
Reportergwinkless 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version6.10 
Target VersionFixed in Version 
Summary0016350: samba packages 3.6.23-52.el6_10 breaks AD groups integration
DescriptionHave servers set up to authenticate users with kerberos integrating with AD, users can no longer log in when update to 3.6.23-52.
Steps To Reproduce1. Join server to AD in the recommended way (see many howtos online).

2. Add active directory groups to sshd_config AllowGroups line

3. Add

   account [default=ignore success=1] pam_succeed_if.so user ingroup ad_group_name

to /etc/pam.d/sshd

With previous version of samba packages, this works: users can log in via ssh with active directory authentication information.

After upgrading to 3.6.23-52.el6_10 we get

Aug 21 14:12:33 servername sshd[19066]: User ad.user.name from <machinename> not allowed because none of user's groups are listed in AllowGroups

in /var/log/secure

If you add "domain users" to AllowGroups you then get

Aug 21 17:26:03 servername sshd[10622]: pam_succeed_if(sshd:account): requirement "user ingroup ad_group_name" not met by user "ad.user.name"

in /var/log/secure - this shows that the authentication is working, but the group membership test is broken.

Using the AD groups in /etc/sudoers also exhibits the same problem.
Additional InformationThis breaks across multiple servers and all work again once samba update is rolled back.
TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2019-08-22 09:25 gwinkless New Issue