[Samba] using spn with winbind

Rowland Penny rpenny at samba.org
Sat Jun 17 11:23:33 UTC 2023 


On 16/06/2023 19:49, Stefan Kania via samba wrote:
> Hi,
> 
> with sssd i can do:
> $ ssh user at domain.tld@HOST1
> $ id user at domain.tld
> $ ls -al /home/domain.tld/user
> drwx------ 5 user at domain.tld domain users at domain.tld  103 12. Jun 14:14 .
> $ grep AllowGroups /etc/ssh/sshd_config
> AllowGroups lokale_gruppe samba_gruppe at domain.tld
> 
> When switching to winbind only
> $ id user at domain.tld
> 
> is working any other command is using user\domain
> 
> $ ls -al /home/domain.tld/brielmj
> drwxr-x--- 4 DOMAIN\user DOMAIN\domain users    4096 Jun 15 17:10 .
> $ grep AllowGroups /etc/ssh/sshd_config
> AllowGroups lokale_gruppe DOMAIN\samba_gruppe
> 
> is there a way to use winbind the same way as I can do with sssd?
> 
> I've never tought about it, but i have a customer who want's to switch 
> from sssd to winbind and I can't find anything.
> 

Hi, Stefan,

I think you have something set up incorrectly, or you are connecting to 
a DC, or something changed after Samba 4.17.8

I can logon using ssh with kerberos to a Unix domain member running on 
bookworm (Samba 4.17.8)

rowland at devstation:~$ ssh rowland at TESTDM12.SAMDOM.EXAMPLE.COM
Creating directory '/home/rowland'.
Linux testdm12 6.1.0-9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.27-1 
(2023-05-08) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

If I run 'id' I get this:

rowland at testdm12:~$ id rowland at samdom.example.com
uid=11104(rowland) gid=10513(domain users) groups=10513(domain 
users),11104(rowland),10512(domain admins),10572(denied rodc password 
replication 
group),12605(testgroup),3001(BUILTIN\users),3000(BUILTIN\administrators)

and running 'ls' against my home directory gets this:

rowland at testdm12:~$ ls -la /home/rowland
total 32
drwxr-xr-x 3 rowland domain users 4096 Jun 17 12:12 .
drwxr-xr-x 4 root    root         4096 Jun 17 12:12 ..
-rw-r--r-- 1 rowland domain users  220 Jun 17 12:12 .bash_logout
-rw-r--r-- 1 rowland domain users 3526 Jun 17 12:12 .bashrc
drwx------ 3 rowland domain users 4096 Jun 17 12:12 .config
-rw-r--r-- 1 rowland domain users 5290 Jun 17 12:12 .face
lrwxrwxrwx 1 rowland domain users    5 Jun 17 12:12 .face.icon -> .face
-rw-r--r-- 1 rowland domain users  807 Jun 17 12:12 .profile

No 'DOMAIN' anywhere.

Rowland

More information about the samba mailing list