[Samba] DM and ''offline'' PAM (and NSS?)...
Rowland Penny
rpenny at samba.org
Mon Dec 18 16:04:03 UTC 2017
On Mon, 18 Dec 2017 16:44:32 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! L.P.H. van Belle via samba
> In chel di` si favelave...
>
> > What you show below is correct.
> > In linux, DOM\user != user
>
> I know. And i was using 'wbinfo', that, AFAIK query directly winbind
> and no POSIX stuff...
>
>
> > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
> > [realms]
> > SAMDOM.EXAMPLE.COM = {
> > auth_to_local = RULE:[1:SAMDOM\$1]
> > }
>
> Interesting! I've looked at that in the past, but i was not interested
> in SSO so i've probably skipped.
>
> Anyway, i've tried to comment out 'winbind use default domain = yes'
> and add this stanza to /etc/krb5.conf but seems does not work, eg:
>
> root at vdmsv1:~# getent passwd gaio
> root at vdmsv1:~# getent passwd LNFFVG\\gaio
> LNFFVG\gaio:*:10000:10513:Marco Gaiarin:/home/gaio:/bin/bash
>
> only the 'domainful' version of the account work.
Of course it doesn't work, if you look at 'winbind use default domain =
yes', it is clearly telling 'winbind' to use the default domain even if
it is not supplied, if it is turned off, then 'gaio' is not a domain
member, but 'LNFFVG\\gaio' is.
>
>
> > Now, since im not sure this works ok, i dont use it on my debian
> > servers, i use option2. option2 is ignore the "not recommended
> > setting : "winbind use default domain = yes"
>
> Also i, option 2. ;-)
>
Just don't add a trusted domain ;-)
Rowland
More information about the samba
mailing list