samba - Apr 2022 - SSH, pam_winbind and cross-forest membership...

In a multidomain/forest environment, seems that on domain members some
cross-forest membership get evaluated by pam_winbind only after a
successful logon.

But if i need (for example) users to logon to a server via SSH if
and only if they are members of a particular cross-forest group
(eg using AllowGroups in sshd_config)?


How can i solve this 'chicken and egg' problem?


Thanks.

-- 
  Non mi interessa sentirmi intelligente guardando in tv dei cretini,
  preferirei sentirmi un cretino di fronte a persone eccellenti.
						(Franco Battiato)

On 4/20/22 15:07, Marco Gaiarin via samba wrote:
> 
> In a multidomain/forest environment, seems that on domain members some
> cross-forest membership get evaluated by pam_winbind only after a
> successful logon.
> 
> But if i need (for example) users to logon to a server via SSH if
> and only if they are members of a particular cross-forest group
> (eg using AllowGroups in sshd_config)?
> 
> 
> How can i solve this 'chicken and egg' problem?
> 
> 
> Thanks.
> 
At the risk of getting ultra-hacky, you could looking into using an extra nss 
provider where you populate the group data by doing your own enumeration of all 
of that (by some means).

There are several modules out there.  Like nss_altfiles.