[Samba] SSH, pam_winbind and cross-forest membership...

[Marco Gaiarin]

Still replying to myself. ;-)

> 1) winbind: work as expected, but complex membership get evaluated only on
>  post login, so the 'chiken and egg' trouble.

Probably is a very stupind answer, and probably i owe shame by all the list,
but we are using 'domain local' groups, that clearly are 'domain local'...

Switching to 'Universal group' now the cross-forest membership works as
expected.


Still a minor glitch remain: we have found that if we remove a user from an
authorized group, user can still do a 'latest logon', because membership
cache get updated on a successful logon.


There's some way to fine tune in winbind the membershup cache?


Thanks.

-- 
  ma l'impresa eccezionale, dammi retta
  e` essere normale					(L. Dalla)