Christopher Cox
2022-Apr-20 21:18 UTC
[Samba] SSH, pam_winbind and cross-forest membership...
On 4/20/22 15:07, Marco Gaiarin via samba wrote:> > In a multidomain/forest environment, seems that on domain members some > cross-forest membership get evaluated by pam_winbind only after a > successful logon. > > But if i need (for example) users to logon to a server via SSH if > and only if they are members of a particular cross-forest group > (eg using AllowGroups in sshd_config)? > > > How can i solve this 'chicken and egg' problem? > > > Thanks. >At the risk of getting ultra-hacky, you could looking into using an extra nss provider where you populate the group data by doing your own enumeration of all of that (by some means). There are several modules out there. Like nss_altfiles.
Marco Gaiarin
2022-Apr-27 21:32 UTC
[Samba] SSH, pam_winbind and cross-forest membership...
Mandi! Christopher Cox via samba In chel di` si favelave...> At the risk of getting ultra-hacky, you could looking into using an extra nss > provider where you populate the group data by doing your own enumeration of all > of that (by some means). > There are several modules out there. Like nss_altfiles.Seems to 'hacky', right. Also, i've currently 'three way' to auth, but none works in a multidomain/forest environment (or, at least, i've not managed to make it work): 1) winbind: work as expected, but complex membership get evaluated only on post login, so the 'chiken and egg' trouble. 2) kerberos: i've not managed to make it work in a multidomain/forest; there's no group mambership. 3) pure LDAP: i've not tried it, but probably with the correct config i can obtain all what i need (UPN login; group membership), but it is a bit hard to setup, and Rowland and Lous says ?don't use LDAP, use Kerberos? now and then. ;-) -- ...e andate chissa` dove per non pagar le tasse col ghigno e l'ignoranza dei primi della classe. (F. Guccini)
Marco Gaiarin
2022-May-09 13:57 UTC
[Samba] SSH, pam_winbind and cross-forest membership...
Still replying to myself. ;-)> 1) winbind: work as expected, but complex membership get evaluated only on > post login, so the 'chiken and egg' trouble.Probably is a very stupind answer, and probably i owe shame by all the list, but we are using 'domain local' groups, that clearly are 'domain local'... Switching to 'Universal group' now the cross-forest membership works as expected. Still a minor glitch remain: we have found that if we remove a user from an authorized group, user can still do a 'latest logon', because membership cache get updated on a successful logon. There's some way to fine tune in winbind the membershup cache? Thanks. -- ma l'impresa eccezionale, dammi retta e` essere normale (L. Dalla)