samba - Jan 2022 - pam_winbind, ssh and cross-forest membership...

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> Have you set up trusts between 'SUBA.DOM.IT' and 'DOM.IT' ?
Sure!

>>       id a
> Problem is, you should be using 'id DOMAIN\\a' , where
'DOMAIN' is the
> workgroup of user 'a'.
Forgot to say: 'winbind use default domain = Yes'.

>> There's some way to force it? Thanks.
> It will undoubtedly help if you post your smb.conf file.
Oh, sorry rowland, true.

[global]
	kerberos method = secrets and keytab
	realm = DOM.IT
	security = ADS
	template shell = /bin/bash
	winbind expand groups = 5
	winbind offline logon = Yes
	winbind refresh tickets = Yes
	winbind use default domain = Yes
	workgroup = DOM
	idmap config * : range = 1000 - 9999
	idmap config SUBD : backend = rid
	idmap config SUBD : range = 700000 - 749999
	idmap config SUBC : backend = rid
	idmap config SUBC : range = 500000 - 549999
	idmap config SUBB : backend = rid
	idmap config SUBB : range = 300000 - 349999
	idmap config SUBA : backend = rid
	idmap config SUBA : range = 10000 - 99999
	idmap config DOM : backend = rid
	idmap config DOM : range = 2000000-2999999
	idmap config * : backend = tdb


following 'alex' hint i've added 'winbind expand groups =
5'; in this way
effectively an 'getent group groupa' return all the membership, also in
other domain (eg, return 'SUBA\\usera') but still a simple 'id
SUBA\\usera'
does not return 'groupa' (or 'DOM\\groupa') as membership.

-- 
  Mio figlio Christian diceva che la morte doveva essere qualcosa di
  bello, visto che nessuno ritornava.		(Yolande Mukagasana)

On Tue, 2022-01-11 at 14:38 +0100, Marco Gaiarin via samba
wrote:
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > Have you set up trusts between 'SUBA.DOM.IT' and
'DOM.IT' ?
> 
> Sure!
> 
> 
> > >       id a
> > Problem is, you should be using 'id DOMAIN\\a' , where
'DOMAIN' is
> > the
> > workgroup of user 'a'.
> 
> Forgot to say: 'winbind use default domain = Yes'.
Then remove it, you cannot use it with multiple domains.

Rowland

OK, i restate all the stuff, hoping someone can answer.


Situation: AD Forest (done with MS ADDC, sorry...) composed of a 'forest
tree' domain DOM.IT (DOM) and 4 subdomains SUBA.DOM.IT (SUBA), SUBB.DOM.IT
(SUBB), SUBC.DOM.IT (SUBC), SUBD.DOM.IT (SUBD).

Supposing every subdomain have a user and a group, for sake of semplicity:
 + SUBA\usera member of SUBA\groupa
 + SUBB\userb member of SUBB\groupb
 + SUBC\userc member of SUBC\groupc
 + SUBD\userd member of SUBD\groupd

Also, the forest tree domain have a group, supposing 'DOM\admins', and
all
the 4 users are members (directly, or indirectly by means of other groups).


If i setup a pretty standard RH 8.5 compatible distro, samba
4.14.5-2.el8.x86_64, with an smb.conf like:
> [global]
>         kerberos method = secrets and keytab
>         realm = DOM.IT
>         security = ADS
>         template shell = /bin/bash
>         winbind expand groups = 5
>         winbind offline logon = Yes
>         winbind refresh tickets = Yes
>         winbind use default domain = Yes
>         workgroup = DOM
>         idmap config * : range = 1000 - 9999
>         idmap config SUBD : backend = rid
>         idmap config SUBD : range = 700000 - 749999
>         idmap config SUBC : backend = rid
>         idmap config SUBC : range = 500000 - 549999
>         idmap config SUBB : backend = rid
>         idmap config SUBB : range = 300000 - 349999
>         idmap config SUBA : backend = rid
>         idmap config SUBA : range = 10000 - 99999
>         idmap config DOM : backend = rid
>         idmap config DOM : range = 2000000-2999999
>         idmap config * : backend = tdb
and join the machine to the DOM domain, configuring PAM/NSS/winbind, i can
login to the box using all the aforementioned users.


But if i add to ssd_config:

	AllowGroups root admins

('DOM\admins', 'winbind use default domain = No' chage nothing,
rowland) ssh
logon is refused, and i note that if i do:

	id usera

i get all membership of 'usera', apart the memberships on the forest
tree
domain (eg 'DOM\admins').


At this point we start to get puzzled, probably by some cache (samba or
NSS), because, for example:

a) if we relax 'AllowGroups', we do a logon and after then we set again
the
 filter on 'DOM\admins' membership, now works; and after logon, users
get
correct membership.

b) if we join the same machine to a subdomain (eg, 'SUBD.DOM.IT')
'DOM\admins'
 membership appears also for other users, not only for 'SUBD\userd' (but
probably this is also a 'cache effect', we are not sure...).


Seems to me that the default NSS/winbind configuration is not able to
'evaluate' correctly all the membership in ssh auth stage, but only
after a successful logon.


But clearly this is a problem... users get fixed if they logon, but cannot
logon if are not fixed... ;-)


I hope i was clear now. Thanks.

-- 
  Internet it's the largest equivalence class in the reflexive
  transitive symmetric closure of the relationship:
  ``can be reached by an IP packet from''.		(Seth Breidbart)