[Samba] pam_winbind, ssh and cross-forest membership...

Marco Gaiarin gaio at lilliput.linux.it
Fri Jan 21 10:52:47 UTC 2022

OK, i restate all the stuff, hoping someone can answer.

Situation: AD Forest (done with MS ADDC, sorry...) composed of a 'forest
tree' domain DOM.IT (DOM) and 4 subdomains SUBA.DOM.IT (SUBA), SUBB.DOM.IT

Supposing every subdomain have a user and a group, for sake of semplicity:
 + SUBA\usera member of SUBA\groupa
 + SUBB\userb member of SUBB\groupb
 + SUBC\userc member of SUBC\groupc
 + SUBD\userd member of SUBD\groupd

Also, the forest tree domain have a group, supposing 'DOM\admins', and all
the 4 users are members (directly, or indirectly by means of other groups).

If i setup a pretty standard RH 8.5 compatible distro, samba
4.14.5-2.el8.x86_64, with an smb.conf like:

> [global]
>         kerberos method = secrets and keytab
>         realm = DOM.IT
>         security = ADS
>         template shell = /bin/bash
>         winbind expand groups = 5
>         winbind offline logon = Yes
>         winbind refresh tickets = Yes
>         winbind use default domain = Yes
>         workgroup = DOM
>         idmap config * : range = 1000 - 9999
>         idmap config SUBD : backend = rid
>         idmap config SUBD : range = 700000 - 749999
>         idmap config SUBC : backend = rid
>         idmap config SUBC : range = 500000 - 549999
>         idmap config SUBB : backend = rid
>         idmap config SUBB : range = 300000 - 349999
>         idmap config SUBA : backend = rid
>         idmap config SUBA : range = 10000 - 99999
>         idmap config DOM : backend = rid
>         idmap config DOM : range = 2000000-2999999
>         idmap config * : backend = tdb

and join the machine to the DOM domain, configuring PAM/NSS/winbind, i can
login to the box using all the aforementioned users.

But if i add to ssd_config:

	AllowGroups root admins

('DOM\admins', 'winbind use default domain = No' chage nothing, rowland) ssh
logon is refused, and i note that if i do:

	id usera

i get all membership of 'usera', apart the memberships on the forest tree
domain (eg 'DOM\admins').

At this point we start to get puzzled, probably by some cache (samba or
NSS), because, for example:

a) if we relax 'AllowGroups', we do a logon and after then we set again the
 filter on 'DOM\admins' membership, now works; and after logon, users get
correct membership.

b) if we join the same machine to a subdomain (eg, 'SUBD.DOM.IT') 'DOM\admins'
 membership appears also for other users, not only for 'SUBD\userd' (but
probably this is also a 'cache effect', we are not sure...).

Seems to me that the default NSS/winbind configuration is not able to
'evaluate' correctly all the membership in ssh auth stage, but only
after a successful logon.

But clearly this is a problem... users get fixed if they logon, but cannot
logon if are not fixed... ;-)

I hope i was clear now. Thanks.

  Internet it's the largest equivalence class in the reflexive
  transitive symmetric closure of the relationship:
  ``can be reached by an IP packet from''.		(Seth Breidbart)

More information about the samba mailing list