samba - Jan 2022 - pam_winbind, ssh and cross-forest membership...

On Tue, 2022-01-11 at 12:15 +0100, Marco Gaiarin via samba
wrote:
> Situation: multiforest AD domain, RHEL8, samba 4.14.5-2.el8.x86_64 .
> 
> 
> User 'a' is member of 'groupa' in domain SUBA.DOM.IT, in a
forest
> where the
> domain 'DOM.IT' have a group 'supergroup' that have
'groupa' as
> member.
Have you set up trusts between 'SUBA.DOM.IT' and 'DOM.IT' ?
> 
> 
> If i put in sshd_config:
> 
> 	AllowGroups root supergroup
> 
> user are NON allowed to login. Also if i do:
> 
> 	id a
Problem is, you should be using 'id DOMAIN\\a' , where 'DOMAIN'
is the
workgroup of user 'a'.
> 
> 'supergroup' is not listed as membership; clearly if i do:
> 
> 	getent group supergroup
> 
> 'supergroup' get listed (with empty membership).
> 
> 
> Seems like winbind by default does not expand the cross-forest
> membership.
> 
> 
> There's some way to force it? Thanks.
It will undoubtedly help if you post your smb.conf file.

Rowland

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> Have you set up trusts between 'SUBA.DOM.IT' and 'DOM.IT' ?
Sure!

>>       id a
> Problem is, you should be using 'id DOMAIN\\a' , where
'DOMAIN' is the
> workgroup of user 'a'.
Forgot to say: 'winbind use default domain = Yes'.

>> There's some way to force it? Thanks.
> It will undoubtedly help if you post your smb.conf file.
Oh, sorry rowland, true.

[global]
	kerberos method = secrets and keytab
	realm = DOM.IT
	security = ADS
	template shell = /bin/bash
	winbind expand groups = 5
	winbind offline logon = Yes
	winbind refresh tickets = Yes
	winbind use default domain = Yes
	workgroup = DOM
	idmap config * : range = 1000 - 9999
	idmap config SUBD : backend = rid
	idmap config SUBD : range = 700000 - 749999
	idmap config SUBC : backend = rid
	idmap config SUBC : range = 500000 - 549999
	idmap config SUBB : backend = rid
	idmap config SUBB : range = 300000 - 349999
	idmap config SUBA : backend = rid
	idmap config SUBA : range = 10000 - 99999
	idmap config DOM : backend = rid
	idmap config DOM : range = 2000000-2999999
	idmap config * : backend = tdb


following 'alex' hint i've added 'winbind expand groups =
5'; in this way
effectively an 'getent group groupa' return all the membership, also in
other domain (eg, return 'SUBA\\usera') but still a simple 'id
SUBA\\usera'
does not return 'groupa' (or 'DOM\\groupa') as membership.

-- 
  Mio figlio Christian diceva che la morte doveva essere qualcosa di
  bello, visto che nessuno ritornava.		(Yolande Mukagasana)