JumpCloud Community

iainronayne · ‎06-01-2023

We have recently migrated identity management for our company to JumpCloud. We have an Ubuntu 22.04 server with Samba shares that has stopped updating the groups in /etc/group. Changes made in JumpCloud admin (adding users to groups and adding sudo to accounts) are not getting synched with the server. As a result, new users cannot access the shares unless we manually edit /etc/group. Users with the correct UID are added to the server, but the groups are not updated. On running service jcagent status, we see multiple entries of:

chfn[31880]: Authentication failure

Not sure if that's a red erring or not.

Has anyone seen this behaviour before?

Thanks

BrightRodger · ‎06-12-2023

@iainronayne JumpCloud will add/remove users from the sudo group if you bind the user to a Linux device that is being managed through the JumpCloud device agent. ~~JumpCloud will not create or manage "user groups" (from within the JumpCloud admin portal) as local groups on a Linux device.~~ EDIT: See Below

The primary means to manage other local user groups on a Linux machine itself would be to do this manually, or through the COMMANDs capability within JumpCloud (Basically the COMMANDS capability allow the device agent to operate as a root user and open a hidden terminal to run scripts)

EDIT:

Thanks to @crobar's comment below! You are correct, there IS a way to use the JumpCloud user groups and propagate them to the managed Linux device. There are some steps involved here;

Create a user group in JumpCloud.
1. Check box for “Create Linux group for this user group”, assign a random GroupID.
Create a device group in JumpCloud for the specific linux device you want to manage users groups on.
1. Bind that device to this device group.
Bind the User Group to the Device Group.
Now you must add the users you want to appear on the device to the user group you have created. This will propagate that user group to the device. The user MUST be a member of the user group or it will not appear on the device.
NOTE: getent group (or cat /etc/group) to see the groups on a device, groups username to see the groups a user is bound to.
So if you had 7 user groups you need on this device you would create 7 user groups in the JumpCloud admin portal, bind your user to all 7 groups, and then bind all 7 groups to the device group you created that has the one device in it.
This becomes much more useful when you have a fleet of devices (such as production servers) that all need large quantities of the same user groups and users on them, you can have a single device group with all your devices bound to it, and then various user groups all bound to that single device group.

crobar · ‎07-18-2024

I don't understand this answer since in group settings on the 'Details' tab there is an option 'Create Linux group for this user group', where you then choose the linux name and GID for the group, and indeed this group is created on the device. The only missing step is to add the correct users to the groups.

I understand why the OP is frustrated, because the current setup requires you to manually add users to the samba group on the device, and JumpCloud can't be used to manage this. Users can't access the samba resource until they are added to the local Linux group.

BrightRodger · ‎08-02-2024

I went ahead and edited my above comment. After some digging I think there is a fairly elegant manner which JumpCloud can manage those user groups on a Linux device, especially helpful with larger numbers of devices and groups.

JumpCloud Community

Ubuntu Samba server /etc/group not updating