[Samba] using spn with winbind

Sun Jun 18 07:36:00 UTC 2023

Hi Rowland,

so it's different when using winbind insted of sssd ;-) And you can't 
get the same result with "ls -l " using winbind. That's what I also 
tought but as always: There is more between haven and earth.

Stefan

Am 17.06.23 um 13:23 schrieb Rowland Penny via samba:
> 
> 
> On 16/06/2023 19:49, Stefan Kania via samba wrote:
>> Hi,
>>
>> with sssd i can do:
>> $ ssh user at domain.tld@HOST1
>> $ id user at domain.tld
>> $ ls -al /home/domain.tld/user
>> drwx------ 5 user at domain.tld domain users at domain.tld  103 12. Jun 14:14 .
>> $ grep AllowGroups /etc/ssh/sshd_config
>> AllowGroups lokale_gruppe samba_gruppe at domain.tld
>>
>> When switching to winbind only
>> $ id user at domain.tld
>>
>> is working any other command is using user\domain
>>
>> $ ls -al /home/domain.tld/brielmj
>> drwxr-x--- 4 DOMAIN\user DOMAIN\domain users    4096 Jun 15 17:10 .
>> $ grep AllowGroups /etc/ssh/sshd_config
>> AllowGroups lokale_gruppe DOMAIN\samba_gruppe
>>
>> is there a way to use winbind the same way as I can do with sssd?
>>
>> I've never tought about it, but i have a customer who want's to switch 
>> from sssd to winbind and I can't find anything.
>>
> 
> Hi, Stefan,
> 
> I think you have something set up incorrectly, or you are connecting to 
> a DC, or something changed after Samba 4.17.8
> 
> I can logon using ssh with kerberos to a Unix domain member running on 
> bookworm (Samba 4.17.8)
> 
> rowland at devstation:~$ ssh rowland at TESTDM12.SAMDOM.EXAMPLE.COM
> Creating directory '/home/rowland'.
> Linux testdm12 6.1.0-9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.27-1 
> (2023-05-08) x86_64
> 
> The programs included with the Debian GNU/Linux system are free software;
> the exact distribution terms for each program are described in the
> individual files in /usr/share/doc/*/copyright.
> 
> Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
> permitted by applicable law.
> 
> If I run 'id' I get this:
> 
> rowland at testdm12:~$ id rowland at samdom.example.com
> uid=11104(rowland) gid=10513(domain users) groups=10513(domain 
> users),11104(rowland),10512(domain admins),10572(denied rodc password 
> replication 
> group),12605(testgroup),3001(BUILTIN\users),3000(BUILTIN\administrators)
> 
> and running 'ls' against my home directory gets this:
> 
> rowland at testdm12:~$ ls -la /home/rowland
> total 32
> drwxr-xr-x 3 rowland domain users 4096 Jun 17 12:12 .
> drwxr-xr-x 4 root    root         4096 Jun 17 12:12 ..
> -rw-r--r-- 1 rowland domain users  220 Jun 17 12:12 .bash_logout
> -rw-r--r-- 1 rowland domain users 3526 Jun 17 12:12 .bashrc
> drwx------ 3 rowland domain users 4096 Jun 17 12:12 .config
> -rw-r--r-- 1 rowland domain users 5290 Jun 17 12:12 .face
> lrwxrwxrwx 1 rowland domain users    5 Jun 17 12:12 .face.icon -> .face
> -rw-r--r-- 1 rowland domain users  807 Jun 17 12:12 .profile
> 
> No 'DOMAIN' anywhere.
> 
> Rowland
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20230618/e2747dd9/OpenPGP_signature.sig>