[Samba] shell login with multiple domains via trusts

D.L. Meyer dlmeyer at illinois.edu
Fri Sep 16 16:23:36 MDT 2011


We have this working now, with multiple trusted domains and forests.

We have 'use default domain' = true.

Members in our default domain can use either "userid" or "domain\userid" to 
connect.  Users from other domains must use "domain\userid".

Some potential gotcha's to consider:
1) Ensure that the username that is actually processed by the auth 
mechanism is "domain\userid", and not "domain\\userid".   People using 
windows & PuTTY to connect will sometimes use "domain\\userid" and fail. 
Using the correct format with a single "\" works.   However, those 
connecting from other linux/unix/mac systems and a command-line ssh command 
will need to use the "domain\\userid" format to properly escape the "\" 
character so that it is properly passed down the line.   (using a single 
"\" here, results in an attempt to login with "domainuserid"...)

2) Group memberships may be interfering here.  You may have a requirement 
that only members of "domain users" can log in -- this will often also 
assume the default domain, and users from other domains will not be members 
of your default domain's "domain users" group.

Also, group checks against AD-based groups during SSH connections seems to 
be dicey, at best.

3) We've noted a change in domain group determination behavior between 
Samba 3.5.6 and 3.5.9.    Previously, we could count on a userid from a 
trusted domain to show group memberships from both the local system, the 
user's home domain and from the system's default domain.  (Probably from 
all trusted domains, but we didn't check/use that...)

As of Samba 3.5.9, a logged on user from a trusted domain was only showing 
a group list showing memberships from the local system and the user's home 
domain.   It no longer showed group memberships in groups in the system's 
default domain.    (And this breaks our operations rather horribly... ;-)


--On Friday, September 16, 2011 5:11 PM -0400 "Eric S. Hvozda" 
<hvozda at ack.org> wrote:

> It's been a long journey, bear with me.
> we have multiple domains, that have interdomain trusts in separate 
> I can successfully authenticate via "wbinfo -A A\\userA" and "wbinfo -A 
B\\userB"; same with -K.
> The host is joined do AD "A".  UserA can authenticate successfully and 
get a shell.
> However I desire B\\UserB to also be able to login as well.
> However, I can only have users from domain A login, and even then, if and 
only if I have "winbind use default domain = true".
> However it would seem that "winbind use default domain = false" is 
required to do what I desire. However, I can't seem to get PAM to deal with 
the domain portion of the string.
> ie "A\\" of "A\\UserA" or "B\\" of "B\\UserB"
> Anyone out doing this already?
> How do I get PAM to strip the DOMAIN portion or winbind to strip it prior 
to passing it to PAM?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Donald L. Meyer                                      <dlmeyer at illinois.edu>
   - Technical System Manager, ACES TeleNet Service
   - Technical Lead, ACES Web Infrastructure
Information Technology and Communication Services,  College of ACES
University of Illinois at Urbana-Champaign

   Video/H.323:  0012172445653   (GDS)
   Phone:        +

More information about the samba mailing list