Ubuntu

Likewise-open RequireMemberShipOf broken

Asked by Patrick Cullen

I am using 10.4 with Likewise-open. I am trying to restrict login to a specific AD group called ARBFUND\Developers. In the /etc/likewise-open/lsassd.reg file I have changed

"RequireMembershipOf"=sza:""

to

"RequireMembershipOf"=sza:"ARBFUND\\Developers"

When I do this no users can login, including users that are part of this group.

I am using lwregshell import lsassd.reg && lw-refresh-configuration to get my changes loaded into Likewise from the lsassd.reg file.

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Patrick Cullen (pbceeman75) said : 		#1

The user I am testing with is ARBFUND\patrick.

I am using ssh ARBFUND\\patrick@<server> to connect. I get an error 'Access Denied'.

I ran the lw-list-groups-for-user ARBFUND\\patrick and this is the output

Group[1 of 12] name = ARBFUND\domain^users (gid = 219677185)
Group[2 of 12] name = ARBFUND\qanotify (gid = 219689209)
Group[3 of 12] name = ARBFUND\qa (gid = 219689159)
Group[4 of 12] name = ARBFUND\appadmin (gid = 219689222)
Group[5 of 12] name = ARBFUND\devtoolsadmins (gid = 219689227)
Group[6 of 12] name = ARBFUND\dev (gid = 219685013)
Group[7 of 12] name = ARBFUND\cwan (gid = 219689104)
Group[8 of 12] name = ARBFUND\gl (gid = 219688130)
Group[9 of 12] name = ARBFUND\developers (gid = 219686586)
Group[10 of 12] name = ARBFUND\allsubscribers79f2269a (gid = 219688192)
Group[11 of 12] name = ARBFUND\webadmins (gid = 219689575)
Group[12 of 12] name = BUILTIN\Users (gid = 1545)

I also tried specifying the group name as lower case and with a single slash, but neither helped.

Revision history for this message
Mike Dixson (mike-launchpad-net) said : 		#2

Hi Patrick,

I've encountered the same issue.
I've managed to resolve it by changing the DomainSeparator value from "\\" to "+" and amending the RequireMembershipOf value accordingly:
"DomainSeparator"="+"
"RequireMembershipOf"=sza:"domainname+domain^admins"

Seems that there is a bug in using "\\" I'm guessing that it the double backslash is escaping something incorrectly. I tried playing around a bit so that I could keep users logging in with domainname\username but to no avail and at this stage it's not essential for me and would hold up a project.

Hope that helps everyone.

Revision history for this message
Mike Dixson (mike-launchpad-net) said : 		#3

Hi Patrick et al,

There's a fix available now at https://bugs.launchpad.net/bugs/575152 in addition to the work around I provided.

Thanks
Mike

Can you help with this problem?

Provide an answer of your own, or ask Patrick Cullen for more information if necessary.

To post a message you must log in.