samba - Jan 2022 - pam_winbind, ssh and cross-forest membership...

On Wed, 2022-01-12 at 19:23 +0100, Marco Gaiarin via samba
wrote:
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > > Forgot to say: 'winbind use default domain = Yes'.
> > Then remove it, you cannot use it with multiple domains.
> 
> Rowland, Andrew some month ago here say that now 'winbind use default
> domain > Yes' works as expected, eg in a multidomain/forest
environment,
> permit to
> not add the 'defauklt0 domain.
Can you provide a link to where Andrew said this ?
The smb.conf manpage still says this about 'windows use default
domain':

Users without a domain component are treated as is part of the winbindd
server's own domain.

And:

This option should be avoided if possible. It can cause confusion about
responsibilities for a user or group.

Rowland

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> Can you provide a link to where Andrew said this ?
	https://lists.samba.org/archive/samba/2019-November/226864.html

and the thread, but probably re-reading now all the stuff probably i've
misinterpreted something.

> The smb.conf manpage still says this about 'windows use default
> domain':
Andrew say something about this. It suffices NOT to have login clashes, and
there's no login clashes.


Anyway, bount another strange thing about this: domain forest root tree DOM.IT,
four domains joined in forest SUBA.DOM.IT, SUBB, SUBC and SUBD.

User 'a' of domain SUBA.DOM.IT member also of group 'groupa' in
forest root tree
domain DOM.IT.

In a machien joined to whatever SUB domain (with or without 'winbind use
default domain yes'), user 'a' result in group 'groupa'; if
the machine is joined to forest
root 'DOM.IT', user NOT belong to 'groupa' user.


I need to dig a bit deeper...

-- 
  Chiss? perch? quando si sbaglia numero il telefono non ? mai occupato.
							(Beppe Grillo)