[Samba] pam_winbind, ssh and cross-forest membership...
Dirk Laurenz
samba at laurenz.ws
Tue Jan 18 23:16:57 UTC 2022
Sorry wrong thread
-----Ursprüngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Dirk Laurenz via
samba
Gesendet: Dienstag, 18. Januar 2022 23:52
An: 'Rowland Penny' <rpenny at samba.org>; samba at lists.samba.org
Betreff: Re: [Samba] pam_winbind, ssh and cross-forest membership...
Here it is: https://www.dropbox.com/s/gv4manfg1g8st4d/jd01.zip?dl=0
-----Ursprüngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland Penny via
samba
Gesendet: Dienstag, 18. Januar 2022 22:25
An: samba at lists.samba.org
Betreff: Re: [Samba] pam_winbind, ssh and cross-forest membership...
On Tue, 2022-01-18 at 19:15 +0100, Marco Gaiarin via samba wrote:
> Mandi! Rowland Penny via samba
> In chel di` si favelave...
>
> > Can you provide a link to where Andrew said this ?
>
> https://lists.samba.org/archive/samba/2019-November/226864.html
>
> and the thread, but probably re-reading now all the stuff probably
> i've misinterpreted something.
OK, Andrew wrote:
It only strips the default domain. All the others are untouched. It is
(essentially) also only in the getpwnam() and pam codepaths, not in the
SID->ID stuff, we generally avoid going via names as much as possible.
However 'man smb.conf' says this about 'winbind use default domain':
This parameter specifies whether the winbindd(8) daemon should operate on
users without domain component in their username. Users without a domain
component are treated as is part of the winbindd server's own domain.
While this does not benefit Windows users, it makes SSH, FTP and e-mail
function in a way much closer to the way they would in a native unix system.
This option should be avoided if possible. It can cause confusion about
responsibilities for a user or group. In many situations it is not clear
whether winbind or /etc/passwd should be seen as authoritative for a user,
likewise for groups.
One of those must be wrong, it either uses the default domain (or no
domain) for all users and groups (no matter the origing domain) or it only
works with the users and groups from the default domain.
If you set 'winbind use default domain = yes' in a smb.conf file with
multiple domains, then strange things happen. There is also the fact that
the parameter is 'winbind use default domain', the 'default'
domain (When using the 'rid' or 'ad' backend) is the one that isn't '*'. How
does winbind know what is the 'default' domain if there are more than one
domain that isn't the '*' domain ?
If Andrew is correct, then the 'winbind use default domain' parameter in
'man smb.conf' needs a much better description.
>
>
> > The smb.conf manpage still says this about 'windows use default
> > domain':
>
> Andrew say something about this. It suffices NOT to have login
> clashes, and there's no login clashes.
>
>
> Anyway, bount another strange thing about this: domain forest root
> tree DOM.IT, four domains joined in forest SUBA.DOM.IT, SUBB, SUBC and
> SUBD.
>
> User 'a' of domain SUBA.DOM.IT member also of group 'groupa' in forest
> root tree domain DOM.IT.
>
> In a machien joined to whatever SUB domain (with or without 'winbind
> use default domain = yes'), user 'a' result in group 'groupa'; if the
> machine is joined to forest root 'DOM.IT', user NOT belong to 'groupa'
> user.
>
>
> I need to dig a bit deeper...
I can lend you a good spade :-D
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list