[Samba] [Repost] PAM, Winbind, SSH and 'require_membership_of' in a forest...

[Marco Gaiarin]

Mandi! Rowland Penny via samba
  In chel di` si favelave...

> First, you cannot use 'idmap config mydomain_tre : unix_primary_group =
> yes' with the 'rid' backend, it is purely an idmap_ad setting.

Uh. Oh. Sorry.

But anyway this output was taken (and redacted) from 'tesparm', so seems was
considered...


> You also cannot use 'winbind use default domain = Yes' with your set
> up, you need to connect as the users 'MYDOMAIN_UNO\fred' or
> 'MYDOMAIN_TRE\fred' for instance.

No 'winbind use default domain = Yes' works as expected and it is not the
source of trouble.

After some testing the culprit seems to come from the forest (or other
domain in the forest), so all works as expected until i use a group in the
current forest.

If i use in 'AllowGroup' a group not in current forest, authentication does
not work, apart if i do a successful authentication and until i flush the
groupmap.


And this using username, username and domain, or the UPN: the result is the
same (eg: does not work before a successful auth; work after that).

--