[Samba] [Repost] PAM, Winbind, SSH and 'require_membership_of' in a forest...
Marco Gaiarin
gaio at lilliput.linux.it
Fri Nov 14 16:43:46 UTC 2025
Mandi! Marco Gaiarin
In chel di` si favelave...
>> To get AllowGroups to work, you mast set "winbind expand groups =1" if you are using nested groups increase the number.
> I'll give it a try, thanks Stefan.
No, seems not so simple to me.
Current smb.conf:
[global]
kerberos method = secrets and keytab
realm = TRE.MYDOMAIN.REDACTED
security = ADS
template shell = /bin/bash
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = MYDOMAIN_TRE
idmap config * : range = 5000 - 9999
idmap config mydomain_qua : backend = rid
idmap config mydomain_qua : range = 700000 - 749999
idmap config mydomain_tre : unix_primary_group = yes
idmap config mydomain_tre : backend = rid
idmap config mydomain_tre : range = 500000 - 549999
idmap config mydomain_due : backend = rid
idmap config mydomain_due : range = 300000 - 349999
idmap config mydomain_uno : backend = rid
idmap config mydomain_uno : range = 10000 - 99999
idmap config mydomain : range = 2000000-2999999
idmap config mydomain : backend = rid
idmap config * : backend = tdb
No smbd running,only winbind. Every modification was done restarting winbind
and doing two times 'net cache flush'.
[root at svoltest1 ~]# id "myadmin"
uid=501108(myadmin) gid=500513(domain users) gruppi=500513(domain users),501108(myadmin),502108(tre_server_login_admins),500572(denied rodc password replication group),303336(MYDOMAIN_DUE\due_ad_domain_admin),702605(MYDOMAIN_QUA\qua_ad_domain_admin),2001241(MYDOMAIN\mydomain_admin_laps),301743(MYDOMAIN_DUE\due_ad_admin),2001625(MYDOMAIN\mydomain_pc_admins),2001195(MYDOMAIN\mydomain_wiki_admins),501413(tre_ad_admin),701483(MYDOMAIN_QUA\qua_ad_admin),13389(MYDOMAIN_LOM\bp_xnat),2001206(MYDOMAIN\mydomain_bacula_admins),500512(domain admins)
If i add, to give it a try:
winbind enum groups = Yes
winbind enum users = Yes
i obtain:
[root at svoltest1 ~]# id "myadmin"
uid=501108(myadmin) gid=500513(domain users) gruppi=500513(domain users),501108(myadmin),502108(tre_server_login_admins),500572(denied rodc password replication group),303336(MYDOMAIN_DUE\due_ad_domain_admin),702605(MYDOMAIN_QUA\qua_ad_domain_admin),2001241(MYDOMAIN\mydomain_admin_laps),301743(MYDOMAIN_DUE\due_ad_admin),2001625(MYDOMAIN\mydomain_pc_admins),2001195(MYDOMAIN\mydomain_wiki_admins),501413(tre_ad_admin),701483(MYDOMAIN_QUA\qua_ad_admin),13389(MYDOMAIN_LOM\bp_xnat),2001206(MYDOMAIN\mydomain_bacula_admins),500512(domain admins)
(exactly the same); if i remove the 'enum' lines above and add:
winbind expand groups = 2
i obtain:
[root at svoltest1 ~]# id "myadmin"
uid=501108(myadmin) gid=500513(domain users) gruppi=500513(domain users),501108(myadmin),502108(tre_server_login_admins),500572,303336,702605,2001241,301743,2001625,2001195,501413(tre_ad_admin),701483,13389,2001206,500512(domain admins)
so, the same memberships but with some unknown group.
Anyway, all the trouble came from sshd, eg seems that if i do an 'id' group
get enumerated correcly, but if i try to use 'AllowGroup' in sshd, sometimes
group get not evaluated/cached, and so logon fail.
Thanks.
--
More information about the samba
mailing list