samba - Jan 2022 - pam_winbind, ssh and cross-forest membership...

Situation: multiforest AD domain, RHEL8, samba 4.14.5-2.el8.x86_64 .


User 'a' is member of 'groupa' in domain SUBA.DOM.IT, in a
forest where the
domain 'DOM.IT' have a group 'supergroup' that have
'groupa' as member.


If i put in sshd_config:

	AllowGroups root supergroup

user are NON allowed to login. Also if i do:

	id a

'supergroup' is not listed as membership; clearly if i do:

	getent group supergroup

'supergroup' get listed (with empty membership).


Seems like winbind by default does not expand the cross-forest membership.


There's some way to force it? Thanks.

-- 
  I poveri debbono smetterla di lamentarsi della pagliuzza negli occhi dei
  ricchi avendo una trave nel culo!	(Paolo Rossi, in collegamento da
		Bologna con la trasmissione MARKETTE, imitando Berlusconi)

Hello Marco,

Won't "winbind expand groups = 5" help?
> Situation: multiforest AD domain, RHEL8, samba 4.14.5-2.el8.x86_64 .
> User 'a' is member of 'groupa' in domain SUBA.DOM.IT, in a
forest where the
> domain 'DOM.IT' have a group 'supergroup' that have
'groupa' as member.
> If i put in sshd_config:
>         AllowGroups root supergroup
> user are NON allowed to login. Also if i do:
>         id a
> 'supergroup' is not listed as membership; clearly if i do:
>         getent group supergroup
> 'supergroup' get listed (with empty membership).
> Seems like winbind by default does not expand the cross-forest membership.
> There's some way to force it? Thanks.
-- 
Best regards,
Alex

On Tue, 2022-01-11 at 12:15 +0100, Marco Gaiarin via samba
wrote:
> Situation: multiforest AD domain, RHEL8, samba 4.14.5-2.el8.x86_64 .
> 
> 
> User 'a' is member of 'groupa' in domain SUBA.DOM.IT, in a
forest
> where the
> domain 'DOM.IT' have a group 'supergroup' that have
'groupa' as
> member.
Have you set up trusts between 'SUBA.DOM.IT' and 'DOM.IT' ?
> 
> 
> If i put in sshd_config:
> 
> 	AllowGroups root supergroup
> 
> user are NON allowed to login. Also if i do:
> 
> 	id a
Problem is, you should be using 'id DOMAIN\\a' , where 'DOMAIN'
is the
workgroup of user 'a'.
> 
> 'supergroup' is not listed as membership; clearly if i do:
> 
> 	getent group supergroup
> 
> 'supergroup' get listed (with empty membership).
> 
> 
> Seems like winbind by default does not expand the cross-forest
> membership.
> 
> 
> There's some way to force it? Thanks.
It will undoubtedly help if you post your smb.conf file.

Rowland