[Samba] SSH, pam_winbind and cross-forest membership...

[Marco Gaiarin]

Mandi! Christopher Cox via samba
  In chel di` si favelave...

> At the risk of getting ultra-hacky, you could looking into using an extra nss 
> provider where you populate the group data by doing your own enumeration of all 
> of that (by some means).
> There are several modules out there.  Like nss_altfiles.

Seems to 'hacky', right. Also, i've currently 'three way' to auth, but none
works in a multidomain/forest environment (or, at least, i've not managed to
make it work):

1) winbind: work as expected, but complex membership get evaluated only on
 post login, so the 'chiken and egg' trouble.

2) kerberos: i've not managed to make it work in a multidomain/forest;
 there's no group mambership.

3) pure LDAP: i've not tried it, but probably with the correct config i can
 obtain all what i need (UPN login; group membership), but it is a bit hard
to setup, and Rowland and Lous says «don't use LDAP, use Kerberos» now and
then. ;-)

-- 
  ...e andate chissa` dove per non pagar le tasse
  col ghigno e l'ignoranza dei primi della classe.	(F. Guccini)