samba - Jan 2022 - pam_winbind, ssh and cross-forest membership...

On Tue, 2022-01-18 at 19:15 +0100, Marco Gaiarin via samba
wrote:
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > Can you provide a link to where Andrew said this ?
> 
> 	https://lists.samba.org/archive/samba/2019-November/226864.html
> 
> and the thread, but probably re-reading now all the stuff probably
> i've
> misinterpreted something.
OK, Andrew wrote:

It only strips the default domain. All the others are untouched.  It is
(essentially) also only in the getpwnam() and pam codepaths, not in the
SID->ID stuff, we generally avoid going via names as much as possible. 

However 'man smb.conf' says this about 'winbind use default
domain':

This parameter specifies whether the winbindd(8) daemon should operate
on users without domain component in their username. Users without a
domain component are treated as is part of the winbindd server's own
domain.
While this does not benefit Windows users, it makes SSH, FTP and e-mail
function in a way much closer to the way they would in a native unix
system.

This option should be avoided if possible. It can cause confusion about
responsibilities for a user or group. In many situations it is not
clear whether winbind or /etc/passwd should be seen as authoritative
for a user, likewise for groups.

One of those must be wrong, it either uses the default domain (or no
domain) for all users and groups (no matter the origing domain) or it
only works with the users and groups from the default domain.

If you set 'winbind use default domain = yes' in a smb.conf file with
multiple domains, then strange things happen. There is also the fact
that the parameter is 'winbind use default domain', the
'default'
domain (When using the 'rid' or 'ad' backend) is the one that
isn't
'*'. How does winbind know what is the 'default' domain if there
are
more than one domain that isn't the '*' domain ?

If Andrew is correct, then the 'winbind use default domain' parameter
in 'man smb.conf' needs a much better description.
> 
> 
> > The smb.conf manpage still says this about 'windows use default
> > domain':
> 
> Andrew say something about this. It suffices NOT to have login
> clashes, and
> there's no login clashes.
> 
> 
> Anyway, bount another strange thing about this: domain forest root
> tree DOM.IT,
> four domains joined in forest SUBA.DOM.IT, SUBB, SUBC and SUBD.
> 
> User 'a' of domain SUBA.DOM.IT member also of group
'groupa' in
> forest root tree
> domain DOM.IT.
> 
> In a machien joined to whatever SUB domain (with or without 'winbind
> use default domain > yes'), user 'a' result in group
'groupa'; if the machine is joined to
> forest
> root 'DOM.IT', user NOT belong to 'groupa' user.
> 
> 
> I need to dig a bit deeper...
I can lend you a good spade :-D

Rowland

Here it is: https://www.dropbox.com/s/gv4manfg1g8st4d/jd01.zip?dl=0

-----Urspr?ngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland Penny
via
samba
Gesendet: Dienstag, 18. Januar 2022 22:25
An: samba at lists.samba.org
Betreff: Re: [Samba] pam_winbind, ssh and cross-forest membership...

On Tue, 2022-01-18 at 19:15 +0100, Marco Gaiarin via samba
wrote:
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > Can you provide a link to where Andrew said this ?
> 
> 	https://lists.samba.org/archive/samba/2019-November/226864.html
> 
> and the thread, but probably re-reading now all the stuff probably 
> i've misinterpreted something.
OK, Andrew wrote:

It only strips the default domain. All the others are untouched.  It is
(essentially) also only in the getpwnam() and pam codepaths, not in the
SID->ID stuff, we generally avoid going via names as much as possible. 

However 'man smb.conf' says this about 'winbind use default
domain':

This parameter specifies whether the winbindd(8) daemon should operate on
users without domain component in their username. Users without a domain
component are treated as is part of the winbindd server's own domain.
While this does not benefit Windows users, it makes SSH, FTP and e-mail
function in a way much closer to the way they would in a native unix system.

This option should be avoided if possible. It can cause confusion about
responsibilities for a user or group. In many situations it is not clear
whether winbind or /etc/passwd should be seen as authoritative for a user,
likewise for groups.

One of those must be wrong, it either uses the default domain (or no
domain) for all users and groups (no matter the origing domain) or it only
works with the users and groups from the default domain.

If you set 'winbind use default domain = yes' in a smb.conf file with
multiple domains, then strange things happen. There is also the fact that
the parameter is 'winbind use default domain', the 'default'
domain (When using the 'rid' or 'ad' backend) is the one that
isn't '*'. How
does winbind know what is the 'default' domain if there are more than
one
domain that isn't the '*' domain ?

If Andrew is correct, then the 'winbind use default domain' parameter in
'man smb.conf' needs a much better description.
> 
> 
> > The smb.conf manpage still says this about 'windows use default
> > domain':
> 
> Andrew say something about this. It suffices NOT to have login 
> clashes, and there's no login clashes.
> 
> 
> Anyway, bount another strange thing about this: domain forest root 
> tree DOM.IT, four domains joined in forest SUBA.DOM.IT, SUBB, SUBC and 
> SUBD.
> 
> User 'a' of domain SUBA.DOM.IT member also of group
'groupa' in forest
> root tree domain DOM.IT.
> 
> In a machien joined to whatever SUB domain (with or without 'winbind 
> use default domain = yes'), user 'a' result in group
'groupa'; if the
> machine is joined to forest root 'DOM.IT', user NOT belong to
'groupa'
> user.
> 
> 
> I need to dig a bit deeper...
I can lend you a good spade :-D

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> If you set 'winbind use default domain = yes' in a smb.conf file
with
> multiple domains, then strange things happen.
Andrew seems to say 'no', that on latest samba code the 'winbind use
default domain = yes'
stuff is more solid/coherent... clearly you have to keep 'coherence' of
your
POSIX stuff, having users with and without domain in the same server... but
this is up to you...

> There is also the fact
> that the parameter is 'winbind use default domain', the
'default'
> domain (When using the 'rid' or 'ad' backend) is the one
that isn't
> '*'. How does winbind know what is the 'default' domain if
there are
> more than one domain that isn't the '*' domain ?
Seems absolutly clear to me. It is what defined in:

	workgroup 	realm = 

stanza in [globals]...

> If Andrew is correct, then the 'winbind use default domain'
parameter
> in 'man smb.conf' needs a much better description.
Probably. Can you 'ping' Andrew for a feedback? ;-)

-- 
  Nobody expects the Bavarian inquisition!
						(Anonimo, 19/4/2005)