[Samba] [Repost] PAM, Winbind, SSH and 'require_membership_of' in a forest...

[Marco Gaiarin]

Mandi! Rowland Penny via samba
  In chel di` si favelave...

>> No 'winbind use default domain = Yes' works as expected and it is not
>> the source of trouble.
> It might work has you expect, but doesn't work as you think.
[...]
> Obviously two different people.

Rowland, i know, but don't mind about that: we have a policy in place that
prevent the same login to be reused between domains in the forest.


>> And this using username, username and domain, or the UPN: the result
>> is the same (eg: does not work before a successful auth; work after
>> that).
> I would think (never having tried this) that the group would have to be
> a local Unix group.

No, it works as expected also for AD group, but seems only in the same
domain of the users.

The strange thing is if i do a successful logon, group mamberships get
cached, and so i can successful logon afterward (until cache expire).
For that i speak about a 'bootstrap problem': until it works, it works; but
if for some reason stop to work, there's no way to make it work again. ;)


Speaking plainly: considering DOMA\user1 and DOMA\user2 member of
DOMA\group1 and member also of DOMB\group2, and clearly DOMA and DOMb was
part of the same forest.

If i put in sshd_config:

	AllowGroup DOMA\group1

and try to logon, with user1 and user2, works as expected; if modify sshd_config
putting:
	AllowGroup DOMB\group2

i can still logon with user1 and user2, because membership are cached.

If i do 'net cache flush' and try to logon back, i'm not anymore able to
logon.

Thanks.

--