[Samba] SSH, pam_winbind and cross-forest membership...
Marco Gaiarin
gaio at lilliput.linux.it
Wed Apr 27 21:32:30 UTC 2022
Mandi! Christopher Cox via samba
In chel di` si favelave...
> At the risk of getting ultra-hacky, you could looking into using an extra nss
> provider where you populate the group data by doing your own enumeration of all
> of that (by some means).
> There are several modules out there. Like nss_altfiles.
Seems to 'hacky', right. Also, i've currently 'three way' to auth, but none
works in a multidomain/forest environment (or, at least, i've not managed to
make it work):
1) winbind: work as expected, but complex membership get evaluated only on
post login, so the 'chiken and egg' trouble.
2) kerberos: i've not managed to make it work in a multidomain/forest;
there's no group mambership.
3) pure LDAP: i've not tried it, but probably with the correct config i can
obtain all what i need (UPN login; group membership), but it is a bit hard
to setup, and Rowland and Lous says «don't use LDAP, use Kerberos» now and
then. ;-)
--
...e andate chissa` dove per non pagar le tasse
col ghigno e l'ignoranza dei primi della classe. (F. Guccini)
More information about the samba
mailing list