[Samba] SSH, pam_winbind and cross-forest membership...

Christopher Cox chriscox at endlessnow.com
Wed Apr 20 21:18:24 UTC 2022

On 4/20/22 15:07, Marco Gaiarin via samba wrote:
> In a multidomain/forest environment, seems that on domain members some
> cross-forest membership get evaluated by pam_winbind only after a
> successful logon.
> But if i need (for example) users to logon to a server via SSH if
> and only if they are members of a particular cross-forest group
> (eg using AllowGroups in sshd_config)?
> How can i solve this 'chicken and egg' problem?
> Thanks.

At the risk of getting ultra-hacky, you could looking into using an extra nss 
provider where you populate the group data by doing your own enumeration of all 
of that (by some means).

There are several modules out there.  Like nss_altfiles.

More information about the samba mailing list