[Samba] pam_winbind, ssh and cross-forest membership...
Rowland Penny
rpenny at samba.org
Tue Jan 11 12:04:13 UTC 2022
On Tue, 2022-01-11 at 12:15 +0100, Marco Gaiarin via samba wrote:
> Situation: multiforest AD domain, RHEL8, samba 4.14.5-2.el8.x86_64 .
>
>
> User 'a' is member of 'groupa' in domain SUBA.DOM.IT, in a forest
> where the
> domain 'DOM.IT' have a group 'supergroup' that have 'groupa' as
> member.
Have you set up trusts between 'SUBA.DOM.IT' and 'DOM.IT' ?
>
>
> If i put in sshd_config:
>
> AllowGroups root supergroup
>
> user are NON allowed to login. Also if i do:
>
> id a
Problem is, you should be using 'id DOMAIN\\a' , where 'DOMAIN' is the
workgroup of user 'a'.
>
> 'supergroup' is not listed as membership; clearly if i do:
>
> getent group supergroup
>
> 'supergroup' get listed (with empty membership).
>
>
> Seems like winbind by default does not expand the cross-forest
> membership.
>
>
> There's some way to force it? Thanks.
It will undoubtedly help if you post your smb.conf file.
Rowland
More information about the samba
mailing list