samba - Jun 2020 - Samba as a domain member:

Yes:

# getent group GROUP
group:x:17573:

# getent group group2
group2:x:11010:

# getent group GROUP3
group3:x:21178:

 # wbinfo --group-info GROUP
group:x:17573:

# wbinfo -n GROUP
S-1-5-21-948789634-15155995-928725530-7573 SID_DOM_GROUP (2)

On 16/06/2020 13:55, Vieri Di Paola via samba wrote:
> Yes:
>
> # getent group GROUP
> group:x:17573:
>
> # getent group group2
> group2:x:11010:
>
> # getent group GROUP3
> group3:x:21178:
>
>   # wbinfo --group-info GROUP
> group:x:17573:
>
> # wbinfo -n GROUP
> S-1-5-21-948789634-15155995-928725530-7573 SID_DOM_GROUP (2)
>
OK, I am not an expert on OpenVPN, but from 'man pam_winbind':

 ?????? require_membership_of=[SID or NAME]
 ?????????? If this option is set, pam_winbind will only succeed if the 
user is a member of the given SID or NAME. A SID can be either a 
group-SID, an alias-SID or even an user-SID. It
 ?????????? is also possible to give a NAME instead of the SID. That 
name must have the form: MYDOMAIN\\mygroup or MYDOMAIN\\myuser. 
pam_winbind will, in that case, lookup the SID
 ?????????? internally. Note that NAME may not contain any spaces. It is 
thus recommended to only use SIDs. You can verify the list of SIDs a 
user is a member of with wbinfo
 ?????????? --user-sids=SID.

 ?????????? This option must only be specified on a auth module 
declaration, as it only operates in conjunction with password 
authentication.

So, from that, you need to remove 'require_membership_of=GROUP' from the
'account' line in /etc/pam.d/openvpn-ivpn
You also, it would seem, need to replace 'require_membership_of=GROUP' 
with 'require_membership_of=DOMAIN\\GROUP' or 
'require_membership_of=S-1-5-21-948789634-15155995-928725530-7573' on 
the auth line in /etc/pam.d/openvpn-ivpn

Rowland

In addition, i dont know if its needed, i dont use openvpn.

Simple to test.
You could try to add : ntlm auth = mschapv2-and-ntlmv2-only  on the DC's and
needed member.


Greetz,
Louis
 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: dinsdag 16 juni 2020 15:34
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba as a domain member:
> 
> On 16/06/2020 13:55, Vieri Di Paola via samba wrote:
> > Yes:
> >
> > # getent group GROUP
> > group:x:17573:
> >
> > # getent group group2
> > group2:x:11010:
> >
> > # getent group GROUP3
> > group3:x:21178:
> >
> >   # wbinfo --group-info GROUP
> > group:x:17573:
> >
> > # wbinfo -n GROUP
> > S-1-5-21-948789634-15155995-928725530-7573 SID_DOM_GROUP (2)
> >
> OK, I am not an expert on OpenVPN, but from 'man pam_winbind':
> 
>  ?????? require_membership_of=[SID or NAME]
>  ?????????? If this option is set, pam_winbind will only 
> succeed if the 
> user is a member of the given SID or NAME. A SID can be either a 
> group-SID, an alias-SID or even an user-SID. It
>  ?????????? is also possible to give a NAME instead of the SID. That 
> name must have the form: MYDOMAIN\\mygroup or MYDOMAIN\\myuser. 
> pam_winbind will, in that case, lookup the SID
>  ?????????? internally. Note that NAME may not contain any 
> spaces. It is 
> thus recommended to only use SIDs. You can verify the list of SIDs a 
> user is a member of with wbinfo
>  ?????????? --user-sids=SID.
> 
>  ?????????? This option must only be specified on a auth module 
> declaration, as it only operates in conjunction with password 
> authentication.
> 
> So, from that, you need to remove 
> 'require_membership_of=GROUP' from the 
> 'account' line in /etc/pam.d/openvpn-ivpn
> You also, it would seem, need to replace 
> 'require_membership_of=GROUP' 
> with 'require_membership_of=DOMAIN\\GROUP' or 
> 'require_membership_of=S-1-5-21-948789634-15155995-928725530-7573'
on
> the auth line in /etc/pam.d/openvpn-ivpn
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>