On Jun 26 19:03, Achim Gratz wrote: > Corinna Vinschen writes: > >> Hmm. Doesn't appear to be working in any combination I tried, I'm always > >> getting an "invalid user" when I'm trying to do that. Is it possible that > >> the AD lookup doesn't work when using privilege separation? > > > > No idea. Did you try? You didn't use '@' as separator, by any chance? > > No, I didn't change any settings from the default (apart from the lone > sshd entry in /etc/passwd to make the local account visible to the > sshd). The sshd runs under the sshd local account. > > So, I've tried to let certain users in only if they match a name pattern > (the pattern match is verified to work and shows up in the log) and are > in group +Administrators as resloves with getent, as soon as I specify > anything other than "*" in the AllowGroup config, these users are not > allowed to log in. I've tried "Administrators", "+Administrators" and > even "primaryDOM+Administrators".
The Admin group is a BUILTIN group, so it's always +Administrators under the default prefixing rule, as outlined in my preliminary documentation. And it works fine for me with the latest from CVS (== latest snapshot), I just tested it. If I add AllowGroups +Administrators I can still login with my admin account and get a refusal when logging in with a non-admin account. In contrast, If I add DenyGroups +Administrators it's the opposite. Are you, by any chance, using a non-English OS version? You know that the administrators group has a localized name, right? In german, for instance, it's called Administratoren. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat
pgpFWQoln__Xc.pgp
Description: PGP signature