Corinna Vinschen writes: >> Hmm. Doesn't appear to be working in any combination I tried, I'm always >> getting an "invalid user" when I'm trying to do that. Is it possible that >> the AD lookup doesn't work when using privilege separation? > > No idea. Did you try? You didn't use '@' as separator, by any chance?
No, I didn't change any settings from the default (apart from the lone sshd entry in /etc/passwd to make the local account visible to the sshd). The sshd runs under the sshd local account. So, I've tried to let certain users in only if they match a name pattern (the pattern match is verified to work and shows up in the log) and are in group +Administrators as resloves with getent, as soon as I specify anything other than "*" in the AllowGroup config, these users are not allowed to log in. I've tried "Administrators", "+Administrators" and even "primaryDOM+Administrators". The same happens for another list of users and a non-administrative group from the primary domain that basically all users are a member of; no changes in behaviour when I chose a domain group that I know has only a handful of users including the test account. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Wavetables for the Terratec KOMPLEXER: http://Synth.Stromeko.net/Downloads.html#KomplexerWaves -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
