samba - Jun 2020 - Samba as a domain member:

Nice call. It almost worked except for a small error in 'man
pam_winbind' -- DOMAIN\\GROUP should actually be DOMAIN\GROUP in the
pam.d file.

Now, I'm a bit confused.
The pam module 'pam_winbind' is from the Samba suite.
OpenVPN is just passing on the authentication decision to Samba.
However, I was expecting to just use the group name without the domain
name since I have 'winbind use default domain = yes' in smb.conf.

Maybe the fact that I initially used:
   idmap config OTHERDOMAIN : backend = rid
   idmap config OTHERDOMAIN : range = 1000000-9999999
in Samba 4.11.9 on this new server screwed this up (now they are commented out).
I might need to "leave" the domain, remove the tlb files and re-join
(with the OTHERDOMAIN entries in smb.conf commented out)?

I'm asking because I have two older systems (same distro, same
packages, but older versions) that work fine with
'require_membership_of=GROUP'.
On these systems, the smb.conf is different (configured at least a year ago):

samba-4.5.10 (also built with system-mitkrb5)

[global]
   workgroup = DOMAIN
   server role = standalone server
   printcap name = cups
   load printers = yes
   log file = /var/log/samba/log.%m
   max log size = 50
   map to guest = bad user
   security = ads
   realm = DOMAIN.ORG
   encrypt passwords = yes
   unix password sync = Yes
   pam password change = yes
   username map = /etc/samba/smbusers
   template homedir = /home/%U
   template shell = /bin/bash
   obey pam restrictions = yes
   socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
   local master = no
   os level = 20
   domain master = no
   preferred master = no
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   wins server = 10.1.4.1
   dns proxy = yes
   dos charset = 850
   unix charset = ISO8859-1
   ; max protocol = smb2
   max protocol = NT1
   winbind use default domain = yes
   kerberos method = secrets and keytab
   winbind refresh tickets = yes

Now, I don't really care for these older systems as they will be
removed. I want to use the new installation with the new smb.conf, and
I can live with specifying DOMAIN\GROUP in pam.d (no problem). It's
just that I'd prefer to understand why it is now required but it
wasn't before.

Thanks,

Vieri

On 17/06/2020 09:42, Vieri Di Paola via samba wrote:
> Nice call. It almost worked except for a small error in 'man
> pam_winbind' -- DOMAIN\\GROUP should actually be DOMAIN\GROUP in the
> pam.d file.
Probably historic and set like that because '\' is used by Linux as an 
escape character.
> Now, I'm a bit confused.
> The pam module 'pam_winbind' is from the Samba suite.
> OpenVPN is just passing on the authentication decision to Samba.
> However, I was expecting to just use the group name without the domain
> name since I have 'winbind use default domain = yes' in smb.conf.
Reasonable assumption, but it seems you do need the
domain.
> I'm asking because I have two older systems (same distro, same
> packages, but older versions) that work fine with
> 'require_membership_of=GROUP'.
> On these systems, the smb.conf is different (configured at least a year
ago):
>
> samba-4.5.10 (also built with system-mitkrb5)
There have been a lot of changes since 4.5.x and any one of them could 
be the reason for the change.

Rowland