[Samba] pam_winbind, ssh and cross-forest membership...

Alex samba at abisoft.biz
Tue Jan 11 11:58:42 UTC 2022

Hello Marco,

Won't "winbind expand groups = 5" help?

> Situation: multiforest AD domain, RHEL8, samba 4.14.5-2.el8.x86_64 .

> User 'a' is member of 'groupa' in domain SUBA.DOM.IT, in a forest where the
> domain 'DOM.IT' have a group 'supergroup' that have 'groupa' as member.

> If i put in sshd_config:

>         AllowGroups root supergroup

> user are NON allowed to login. Also if i do:

>         id a

> 'supergroup' is not listed as membership; clearly if i do:

>         getent group supergroup

> 'supergroup' get listed (with empty membership).

> Seems like winbind by default does not expand the cross-forest membership.

> There's some way to force it? Thanks.

Best regards,

More information about the samba mailing list