[Samba] Samba as a domain member:
Rowland penny
rpenny at samba.org
Tue Jun 16 13:34:04 UTC 2020
On 16/06/2020 13:55, Vieri Di Paola via samba wrote:
> Yes:
>
> # getent group GROUP
> group:x:17573:
>
> # getent group group2
> group2:x:11010:
>
> # getent group GROUP3
> group3:x:21178:
>
> # wbinfo --group-info GROUP
> group:x:17573:
>
> # wbinfo -n GROUP
> S-1-5-21-948789634-15155995-928725530-7573 SID_DOM_GROUP (2)
>
OK, I am not an expert on OpenVPN, but from 'man pam_winbind':
require_membership_of=[SID or NAME]
If this option is set, pam_winbind will only succeed if the
user is a member of the given SID or NAME. A SID can be either a
group-SID, an alias-SID or even an user-SID. It
is also possible to give a NAME instead of the SID. That
name must have the form: MYDOMAIN\\mygroup or MYDOMAIN\\myuser.
pam_winbind will, in that case, lookup the SID
internally. Note that NAME may not contain any spaces. It is
thus recommended to only use SIDs. You can verify the list of SIDs a
user is a member of with wbinfo
--user-sids=SID.
This option must only be specified on a auth module
declaration, as it only operates in conjunction with password
authentication.
So, from that, you need to remove 'require_membership_of=GROUP' from the
'account' line in /etc/pam.d/openvpn-ivpn
You also, it would seem, need to replace 'require_membership_of=GROUP'
with 'require_membership_of=DOMAIN\\GROUP' or
'require_membership_of=S-1-5-21-948789634-15155995-928725530-7573' on
the auth line in /etc/pam.d/openvpn-ivpn
Rowland
More information about the samba
mailing list