[Samba] Samba as a domain member:

Rowland penny rpenny at samba.org
Tue Jun 16 13:34:04 UTC 2020

On 16/06/2020 13:55, Vieri Di Paola via samba wrote:
> Yes:
> # getent group GROUP
> group:x:17573:
> # getent group group2
> group2:x:11010:
> # getent group GROUP3
> group3:x:21178:
>   # wbinfo --group-info GROUP
> group:x:17573:
> # wbinfo -n GROUP
> S-1-5-21-948789634-15155995-928725530-7573 SID_DOM_GROUP (2)
OK, I am not an expert on OpenVPN, but from 'man pam_winbind':

        require_membership_of=[SID or NAME]
            If this option is set, pam_winbind will only succeed if the 
user is a member of the given SID or NAME. A SID can be either a 
group-SID, an alias-SID or even an user-SID. It
            is also possible to give a NAME instead of the SID. That 
name must have the form: MYDOMAIN\\mygroup or MYDOMAIN\\myuser. 
pam_winbind will, in that case, lookup the SID
            internally. Note that NAME may not contain any spaces. It is 
thus recommended to only use SIDs. You can verify the list of SIDs a 
user is a member of with wbinfo

            This option must only be specified on a auth module 
declaration, as it only operates in conjunction with password 

So, from that, you need to remove 'require_membership_of=GROUP' from the 
'account' line in /etc/pam.d/openvpn-ivpn
You also, it would seem, need to replace 'require_membership_of=GROUP' 
with 'require_membership_of=DOMAIN\\GROUP' or 
'require_membership_of=S-1-5-21-948789634-15155995-928725530-7573' on 
the auth line in /etc/pam.d/openvpn-ivpn


More information about the samba mailing list