[Samba] [Repost] PAM, Winbind, SSH and 'require_membership_of' in a forest...
Rowland Penny
rpenny at samba.org
Sat Nov 15 10:04:59 UTC 2025
On Fri, 14 Nov 2025 17:43:46 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Marco Gaiarin
> In chel di` si favelave...
>
> >> To get AllowGroups to work, you mast set "winbind expand groups
> >> =1" if you are using nested groups increase the number.
> > I'll give it a try, thanks Stefan.
>
> No, seems not so simple to me.
>
> Current smb.conf:
> [global]
> kerberos method = secrets and keytab
> realm = TRE.MYDOMAIN.REDACTED
> security = ADS
> template shell = /bin/bash
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> workgroup = MYDOMAIN_TRE
> idmap config * : range = 5000 - 9999
> idmap config mydomain_qua : backend = rid
> idmap config mydomain_qua : range = 700000 - 749999
> idmap config mydomain_tre : unix_primary_group = yes
> idmap config mydomain_tre : backend = rid
> idmap config mydomain_tre : range = 500000 - 549999
> idmap config mydomain_due : backend = rid
> idmap config mydomain_due : range = 300000 - 349999
> idmap config mydomain_uno : backend = rid
> idmap config mydomain_uno : range = 10000 - 99999
> idmap config mydomain : range = 2000000-2999999
> idmap config mydomain : backend = rid
> idmap config * : backend = tdb
First, you cannot use 'idmap config mydomain_tre : unix_primary_group =
yes' with the 'rid' backend, it is purely an idmap_ad setting.
You also cannot use 'winbind use default domain = Yes' with your set
up, you need to connect as the users 'MYDOMAIN_UNO\fred' or
'MYDOMAIN_TRE\fred' for instance.
Rowland
More information about the samba
mailing list