[Samba] using spn with winbind

Vaughan, Robert J vaughar2 at gdls.com
Sat Jun 17 13:23:53 UTC 2023 

Does he need "winbind use default domain = yes"  ?

Thanks,

Robert Vaughan

On 16/06/2023 19:49, Stefan Kania via samba wrote:
> Hi,
> 
> with sssd i can do:
> $ ssh user at domain.tld@HOST1
> $ id user at domain.tld
> $ ls -al /home/domain.tld/user
> drwx------ 5 user at domain.tld domain users at domain.tld  103 12. Jun 14:14 .
> $ grep AllowGroups /etc/ssh/sshd_config AllowGroups lokale_gruppe 
> samba_gruppe at domain.tld
> 
> When switching to winbind only
> $ id user at domain.tld
> 
> is working any other command is using user\domain
> 
> $ ls -al /home/domain.tld/brielmj
> drwxr-x--- 4 DOMAIN\user DOMAIN\domain users    4096 Jun 15 17:10 .
> $ grep AllowGroups /etc/ssh/sshd_config AllowGroups lokale_gruppe 
> DOMAIN\samba_gruppe
> 
> is there a way to use winbind the same way as I can do with sssd?
> 
> I've never tought about it, but i have a customer who want's to switch 
> from sssd to winbind and I can't find anything.
> 

Hi, Stefan,

I think you have something set up incorrectly, or you are connecting to a DC, or something changed after Samba 4.17.8

I can logon using ssh with kerberos to a Unix domain member running on bookworm (Samba 4.17.8)

rowland at devstation:~$ ssh rowland at TESTDM12.SAMDOM.EXAMPLE.COM
Creating directory '/home/rowland'.
Linux testdm12 6.1.0-9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.27-1
(2023-05-08) x86_64

The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

If I run 'id' I get this:

rowland at testdm12:~$ id rowland at samdom.example.com
uid=11104(rowland) gid=10513(domain users) groups=10513(domain users),11104(rowland),10512(domain admins),10572(denied rodc password replication
group),12605(testgroup),3001(BUILTIN\users),3000(BUILTIN\administrators)

and running 'ls' against my home directory gets this:

rowland at testdm12:~$ ls -la /home/rowland total 32 drwxr-xr-x 3 rowland domain users 4096 Jun 17 12:12 .
drwxr-xr-x 4 root    root         4096 Jun 17 12:12 ..
-rw-r--r-- 1 rowland domain users  220 Jun 17 12:12 .bash_logout
-rw-r--r-- 1 rowland domain users 3526 Jun 17 12:12 .bashrc
drwx------ 3 rowland domain users 4096 Jun 17 12:12 .config
-rw-r--r-- 1 rowland domain users 5290 Jun 17 12:12 .face
lrwxrwxrwx 1 rowland domain users    5 Jun 17 12:12 .face.icon -> .face
-rw-r--r-- 1 rowland domain users  807 Jun 17 12:12 .profile

No 'DOMAIN' anywhere.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://urldefense.com/v3/__https://lists.samba.org/mailman/options/samba__;!!BlOwZnr7TA!nEVRVMmgXJljqDRn1zQu6gg2WMS7ghGV83TfzcM2vOn_n53FtUKUqQZmifxhkjVNofE6yB1S74BSqZMf$ 

----------------------------------------------------------------------
This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information.  No one else may read, print, store, copy, forward or act in reliance on it or its attachments.  If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.

More information about the samba mailing list