[Samba] SSH, pam_winbind and cross-forest membership...
Marco Gaiarin
gaio at lilliput.linux.it
Mon May 9 13:57:56 UTC 2022
Still replying to myself. ;-)
> 1) winbind: work as expected, but complex membership get evaluated only on
> post login, so the 'chiken and egg' trouble.
Probably is a very stupind answer, and probably i owe shame by all the list,
but we are using 'domain local' groups, that clearly are 'domain local'...
Switching to 'Universal group' now the cross-forest membership works as
expected.
Still a minor glitch remain: we have found that if we remove a user from an
authorized group, user can still do a 'latest logon', because membership
cache get updated on a successful logon.
There's some way to fine tune in winbind the membershup cache?
Thanks.
--
ma l'impresa eccezionale, dammi retta
e` essere normale (L. Dalla)
More information about the samba
mailing list