[Samba] [Repost] PAM, Winbind, SSH and 'require_membership_of' in a forest...
Rowland Penny
rpenny at samba.org
Wed Nov 19 09:43:13 UTC 2025
On Tue, 18 Nov 2025 22:46:55 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Rowland Penny via samba
> In chel di` si favelave...
>
> > First, you cannot use 'idmap config mydomain_tre :
> > unix_primary_group = yes' with the 'rid' backend, it is purely an
> > idmap_ad setting.
>
> Uh. Oh. Sorry.
>
> But anyway this output was taken (and redacted) from 'tesparm', so
> seems was considered...
For some reason, testparm does not parse the 'idmap config' lines and
ignores them.
>
>
> > You also cannot use 'winbind use default domain = Yes' with your set
> > up, you need to connect as the users 'MYDOMAIN_UNO\fred' or
> > 'MYDOMAIN_TRE\fred' for instance.
>
> No 'winbind use default domain = Yes' works as expected and it is not
> the source of trouble.
It might work has you expect, but doesn't work as you think.
Lets take a username 'fred' that exists in 'DOMAIN_A' and 'DOMAIN_B',
that is 'DOMAIN_A\fred' and 'DOMAIN_B\fred'
Locally, both will be seen as 'fred', but:
DOMAIN_A\fred is Fred Bloggs
DOMAIN_B\fred is Fredrica Bloggs
Obviously two different people.
>
> After some testing the culprit seems to come from the forest (or other
> domain in the forest), so all works as expected until i use a group
> in the current forest.
>
> If i use in 'AllowGroup' a group not in current forest,
> authentication does not work, apart if i do a successful
> authentication and until i flush the groupmap.
>
>
> And this using username, username and domain, or the UPN: the result
> is the same (eg: does not work before a successful auth; work after
> that).
>
I would think (never having tried this) that the group would have to be
a local Unix group.
Rowland
More information about the samba
mailing list