Mandi! L.P.H. van Belle via samba In chel di` si favelave...> What you show below is correct. > In linux, DOM\user != userI know. And i was using 'wbinfo', that, AFAIK query directly winbind and no POSIX stuff...> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on > [realms] > SAMDOM.EXAMPLE.COM = { > auth_to_local = RULE:[1:SAMDOM\$1] > }Interesting! I've looked at that in the past, but i was not interested in SSO so i've probably skipped. Anyway, i've tried to comment out 'winbind use default domain = yes' and add this stanza to /etc/krb5.conf but seems does not work, eg: root at vdmsv1:~# getent passwd gaio root at vdmsv1:~# getent passwd LNFFVG\\gaio LNFFVG\gaio:*:10000:10513:Marco Gaiarin:/home/gaio:/bin/bash only the 'domainful' version of the account work.> Now, since im not sure this works ok, i dont use it on my debian servers, i use option2. > option2 is ignore the "not recommended setting : "winbind use default domain = yes"Also i, option 2. ;-) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Mon, 18 Dec 2017 16:44:32 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > What you show below is correct. > > In linux, DOM\user != user > > I know. And i was using 'wbinfo', that, AFAIK query directly winbind > and no POSIX stuff... > > > > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on > > [realms] > > SAMDOM.EXAMPLE.COM = { > > auth_to_local = RULE:[1:SAMDOM\$1] > > } > > Interesting! I've looked at that in the past, but i was not interested > in SSO so i've probably skipped. > > Anyway, i've tried to comment out 'winbind use default domain = yes' > and add this stanza to /etc/krb5.conf but seems does not work, eg: > > root at vdmsv1:~# getent passwd gaio > root at vdmsv1:~# getent passwd LNFFVG\\gaio > LNFFVG\gaio:*:10000:10513:Marco Gaiarin:/home/gaio:/bin/bash > > only the 'domainful' version of the account work.Of course it doesn't work, if you look at 'winbind use default domain yes', it is clearly telling 'winbind' to use the default domain even if it is not supplied, if it is turned off, then 'gaio' is not a domain member, but 'LNFFVG\\gaio' is.> > > > Now, since im not sure this works ok, i dont use it on my debian > > servers, i use option2. option2 is ignore the "not recommended > > setting : "winbind use default domain = yes" > > Also i, option 2. ;-) >Just don't add a trusted domain ;-) Rowland
Mandi! Rowland Penny via samba In chel di` si favelave...> > only the 'domainful' version of the account work. > Of course it doesn't work, if you look at 'winbind use default domain > yes', it is clearly telling 'winbind' to use the default domain even if > it is not supplied, if it is turned off, then 'gaio' is not a domain > member, but 'LNFFVG\\gaio' is.Ok, probably i've not understood what 'auth_to_local' do; i supposed do the same (translating logins to DOMAIN\\logins)...> > Also i, option 2. ;-) > Just don't add a trusted domain ;-)Sure! -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)