[Samba] SSH, pam_winbind and cross-forest membership...

Marco Gaiarin gaio at lilliput.linux.it
Mon May 9 13:57:56 UTC 2022

Still replying to myself. ;-)

> 1) winbind: work as expected, but complex membership get evaluated only on
>  post login, so the 'chiken and egg' trouble.

Probably is a very stupind answer, and probably i owe shame by all the list,
but we are using 'domain local' groups, that clearly are 'domain local'...

Switching to 'Universal group' now the cross-forest membership works as

Still a minor glitch remain: we have found that if we remove a user from an
authorized group, user can still do a 'latest logon', because membership
cache get updated on a successful logon.

There's some way to fine tune in winbind the membershup cache?


  ma l'impresa eccezionale, dammi retta
  e` essere normale					(L. Dalla)

More information about the samba mailing list