Eric,
We have this working now, with multiple trusted domains and forests.
We have 'use default domain' = true.
Members in our default domain can use either "userid" or
"domain\userid" to
connect. Users from other domains must use "domain\userid".
Some potential gotcha's to consider:
1) Ensure that the username that is actually processed by the auth
mechanism is "domain\userid", and not "domain\\userid".
People using
windows & PuTTY to connect will sometimes use "domain\\userid" and
fail.
Using the correct format with a single "\" works. However, those
connecting from other linux/unix/mac systems and a command-line ssh command
will need to use the "domain\\userid" format to properly escape the
"\"
character so that it is properly passed down the line. (using a single
"\" here, results in an attempt to login with
"domainuserid"...)
2) Group memberships may be interfering here. You may have a requirement
that only members of "domain users" can log in -- this will often also
assume the default domain, and users from other domains will not be members
of your default domain's "domain users" group.
Also, group checks against AD-based groups during SSH connections seems to
be dicey, at best.
3) We've noted a change in domain group determination behavior between
Samba 3.5.6 and 3.5.9. Previously, we could count on a userid from a
trusted domain to show group memberships from both the local system, the
user's home domain and from the system's default domain. (Probably from
all trusted domains, but we didn't check/use that...)
As of Samba 3.5.9, a logged on user from a trusted domain was only showing
a group list showing memberships from the local system and the user's home
domain. It no longer showed group memberships in groups in the system's
default domain. (And this breaks our operations rather horribly... ;-)
Cheers,
-D
--On Friday, September 16, 2011 5:11 PM -0400 "Eric S. Hvozda"
<hvozda at ack.org> wrote:
> It's been a long journey, bear with me.
>
> we have multiple domains, that have interdomain trusts in separate
forests.>
> I can successfully authenticate via "wbinfo -A A\\userA" and
"wbinfo -A
B\\userB"; same with -K.>
> The host is joined do AD "A". UserA can authenticate
successfully and
get a shell.>
> However I desire B\\UserB to also be able to login as well.
>
> However, I can only have users from domain A login, and even then, if and
only if I have "winbind use default domain =
true".>
> However it would seem that "winbind use default domain = false"
is
required to do what I desire. However, I can't seem to get PAM to deal with
the domain portion of the string.>
> ie "A\\" of "A\\UserA" or "B\\" of
"B\\UserB"
>
> Anyone out doing this already?
>
> How do I get PAM to strip the DOMAIN portion or winbind to strip it prior
to passing it to PAM?> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Donald L. Meyer <dlmeyer at
illinois.edu>
- Technical System Manager, ACES TeleNet Service
- Technical Lead, ACES Web Infrastructure
Information Technology and Communication Services, College of ACES
University of Illinois at Urbana-Champaign
Video/H.323: 0012172445653 (GDS)
Phone: +1.217.244.5653