samba - Jan 2022 - pam_winbind, ssh and cross-forest membership...

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> Can you provide a link to where Andrew said this ?
	https://lists.samba.org/archive/samba/2019-November/226864.html

and the thread, but probably re-reading now all the stuff probably i've
misinterpreted something.

> The smb.conf manpage still says this about 'windows use default
> domain':
Andrew say something about this. It suffices NOT to have login clashes, and
there's no login clashes.


Anyway, bount another strange thing about this: domain forest root tree DOM.IT,
four domains joined in forest SUBA.DOM.IT, SUBB, SUBC and SUBD.

User 'a' of domain SUBA.DOM.IT member also of group 'groupa' in
forest root tree
domain DOM.IT.

In a machien joined to whatever SUB domain (with or without 'winbind use
default domain yes'), user 'a' result in group 'groupa'; if
the machine is joined to forest
root 'DOM.IT', user NOT belong to 'groupa' user.


I need to dig a bit deeper...

-- 
  Chiss? perch? quando si sbaglia numero il telefono non ? mai occupato.
							(Beppe Grillo)

On Tue, 2022-01-18 at 19:15 +0100, Marco Gaiarin via samba
wrote:
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > Can you provide a link to where Andrew said this ?
> 
> 	https://lists.samba.org/archive/samba/2019-November/226864.html
> 
> and the thread, but probably re-reading now all the stuff probably
> i've
> misinterpreted something.
OK, Andrew wrote:

It only strips the default domain. All the others are untouched.  It is
(essentially) also only in the getpwnam() and pam codepaths, not in the
SID->ID stuff, we generally avoid going via names as much as possible. 

However 'man smb.conf' says this about 'winbind use default
domain':

This parameter specifies whether the winbindd(8) daemon should operate
on users without domain component in their username. Users without a
domain component are treated as is part of the winbindd server's own
domain.
While this does not benefit Windows users, it makes SSH, FTP and e-mail
function in a way much closer to the way they would in a native unix
system.

This option should be avoided if possible. It can cause confusion about
responsibilities for a user or group. In many situations it is not
clear whether winbind or /etc/passwd should be seen as authoritative
for a user, likewise for groups.

One of those must be wrong, it either uses the default domain (or no
domain) for all users and groups (no matter the origing domain) or it
only works with the users and groups from the default domain.

If you set 'winbind use default domain = yes' in a smb.conf file with
multiple domains, then strange things happen. There is also the fact
that the parameter is 'winbind use default domain', the
'default'
domain (When using the 'rid' or 'ad' backend) is the one that
isn't
'*'. How does winbind know what is the 'default' domain if there
are
more than one domain that isn't the '*' domain ?

If Andrew is correct, then the 'winbind use default domain' parameter
in 'man smb.conf' needs a much better description.
> 
> 
> > The smb.conf manpage still says this about 'windows use default
> > domain':
> 
> Andrew say something about this. It suffices NOT to have login
> clashes, and
> there's no login clashes.
> 
> 
> Anyway, bount another strange thing about this: domain forest root
> tree DOM.IT,
> four domains joined in forest SUBA.DOM.IT, SUBB, SUBC and SUBD.
> 
> User 'a' of domain SUBA.DOM.IT member also of group
'groupa' in
> forest root tree
> domain DOM.IT.
> 
> In a machien joined to whatever SUB domain (with or without 'winbind
> use default domain > yes'), user 'a' result in group
'groupa'; if the machine is joined to
> forest
> root 'DOM.IT', user NOT belong to 'groupa' user.
> 
> 
> I need to dig a bit deeper...
I can lend you a good spade :-D

Rowland