On 16/06/2023 19:49, Stefan Kania via samba wrote:> Hi, > > with sssd i can do: > $ ssh user at domain.tld@HOST1 > $ id user at domain.tld > $ ls -al /home/domain.tld/user > drwx------ 5 user at domain.tld domain users at domain.tld? 103 12. Jun 14:14 . > $ grep AllowGroups /etc/ssh/sshd_config > AllowGroups lokale_gruppe samba_gruppe at domain.tld > > When switching to winbind only > $ id user at domain.tld > > is working any other command is using user\domain > > $ ls -al /home/domain.tld/brielmj > drwxr-x--- 4 DOMAIN\user DOMAIN\domain users??? 4096 Jun 15 17:10 . > $ grep AllowGroups /etc/ssh/sshd_config > AllowGroups lokale_gruppe DOMAIN\samba_gruppe > > is there a way to use winbind the same way as I can do with sssd? > > I've never tought about it, but i have a customer who want's to switch > from sssd to winbind and I can't find anything. >Hi, Stefan, I think you have something set up incorrectly, or you are connecting to a DC, or something changed after Samba 4.17.8 I can logon using ssh with kerberos to a Unix domain member running on bookworm (Samba 4.17.8) rowland at devstation:~$ ssh rowland at TESTDM12.SAMDOM.EXAMPLE.COM Creating directory '/home/rowland'. Linux testdm12 6.1.0-9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.27-1 (2023-05-08) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. If I run 'id' I get this: rowland at testdm12:~$ id rowland at samdom.example.com uid=11104(rowland) gid=10513(domain users) groups=10513(domain users),11104(rowland),10512(domain admins),10572(denied rodc password replication group),12605(testgroup),3001(BUILTIN\users),3000(BUILTIN\administrators) and running 'ls' against my home directory gets this: rowland at testdm12:~$ ls -la /home/rowland total 32 drwxr-xr-x 3 rowland domain users 4096 Jun 17 12:12 . drwxr-xr-x 4 root root 4096 Jun 17 12:12 .. -rw-r--r-- 1 rowland domain users 220 Jun 17 12:12 .bash_logout -rw-r--r-- 1 rowland domain users 3526 Jun 17 12:12 .bashrc drwx------ 3 rowland domain users 4096 Jun 17 12:12 .config -rw-r--r-- 1 rowland domain users 5290 Jun 17 12:12 .face lrwxrwxrwx 1 rowland domain users 5 Jun 17 12:12 .face.icon -> .face -rw-r--r-- 1 rowland domain users 807 Jun 17 12:12 .profile No 'DOMAIN' anywhere. Rowland
Does he need "winbind use default domain = yes" ? Thanks, Robert Vaughan On 16/06/2023 19:49, Stefan Kania via samba wrote:> Hi, > > with sssd i can do: > $ ssh user at domain.tld@HOST1 > $ id user at domain.tld > $ ls -al /home/domain.tld/user > drwx------ 5 user at domain.tld domain users at domain.tld? 103 12. Jun 14:14 . > $ grep AllowGroups /etc/ssh/sshd_config AllowGroups lokale_gruppe > samba_gruppe at domain.tld > > When switching to winbind only > $ id user at domain.tld > > is working any other command is using user\domain > > $ ls -al /home/domain.tld/brielmj > drwxr-x--- 4 DOMAIN\user DOMAIN\domain users??? 4096 Jun 15 17:10 . > $ grep AllowGroups /etc/ssh/sshd_config AllowGroups lokale_gruppe > DOMAIN\samba_gruppe > > is there a way to use winbind the same way as I can do with sssd? > > I've never tought about it, but i have a customer who want's to switch > from sssd to winbind and I can't find anything. >Hi, Stefan, I think you have something set up incorrectly, or you are connecting to a DC, or something changed after Samba 4.17.8 I can logon using ssh with kerberos to a Unix domain member running on bookworm (Samba 4.17.8) rowland at devstation:~$ ssh rowland at TESTDM12.SAMDOM.EXAMPLE.COM Creating directory '/home/rowland'. Linux testdm12 6.1.0-9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.27-1 (2023-05-08) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. If I run 'id' I get this: rowland at testdm12:~$ id rowland at samdom.example.com uid=11104(rowland) gid=10513(domain users) groups=10513(domain users),11104(rowland),10512(domain admins),10572(denied rodc password replication group),12605(testgroup),3001(BUILTIN\users),3000(BUILTIN\administrators) and running 'ls' against my home directory gets this: rowland at testdm12:~$ ls -la /home/rowland total 32 drwxr-xr-x 3 rowland domain users 4096 Jun 17 12:12 . drwxr-xr-x 4 root root 4096 Jun 17 12:12 .. -rw-r--r-- 1 rowland domain users 220 Jun 17 12:12 .bash_logout -rw-r--r-- 1 rowland domain users 3526 Jun 17 12:12 .bashrc drwx------ 3 rowland domain users 4096 Jun 17 12:12 .config -rw-r--r-- 1 rowland domain users 5290 Jun 17 12:12 .face lrwxrwxrwx 1 rowland domain users 5 Jun 17 12:12 .face.icon -> .face -rw-r--r-- 1 rowland domain users 807 Jun 17 12:12 .profile No 'DOMAIN' anywhere. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://urldefense.com/v3/__https://lists.samba.org/mailman/options/samba__;!!BlOwZnr7TA!nEVRVMmgXJljqDRn1zQu6gg2WMS7ghGV83TfzcM2vOn_n53FtUKUqQZmifxhkjVNofE6yB1S74BSqZMf$ ---------------------------------------------------------------------- This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.
Hi Rowland, so it's different when using winbind insted of sssd ;-) And you can't get the same result with "ls -l " using winbind. That's what I also tought but as always: There is more between haven and earth. Stefan Am 17.06.23 um 13:23 schrieb Rowland Penny via samba:> > > On 16/06/2023 19:49, Stefan Kania via samba wrote: >> Hi, >> >> with sssd i can do: >> $ ssh user at domain.tld@HOST1 >> $ id user at domain.tld >> $ ls -al /home/domain.tld/user >> drwx------ 5 user at domain.tld domain users at domain.tld? 103 12. Jun 14:14 . >> $ grep AllowGroups /etc/ssh/sshd_config >> AllowGroups lokale_gruppe samba_gruppe at domain.tld >> >> When switching to winbind only >> $ id user at domain.tld >> >> is working any other command is using user\domain >> >> $ ls -al /home/domain.tld/brielmj >> drwxr-x--- 4 DOMAIN\user DOMAIN\domain users??? 4096 Jun 15 17:10 . >> $ grep AllowGroups /etc/ssh/sshd_config >> AllowGroups lokale_gruppe DOMAIN\samba_gruppe >> >> is there a way to use winbind the same way as I can do with sssd? >> >> I've never tought about it, but i have a customer who want's to switch >> from sssd to winbind and I can't find anything. >> > > Hi, Stefan, > > I think you have something set up incorrectly, or you are connecting to > a DC, or something changed after Samba 4.17.8 > > I can logon using ssh with kerberos to a Unix domain member running on > bookworm (Samba 4.17.8) > > rowland at devstation:~$ ssh rowland at TESTDM12.SAMDOM.EXAMPLE.COM > Creating directory '/home/rowland'. > Linux testdm12 6.1.0-9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.27-1 > (2023-05-08) x86_64 > > The programs included with the Debian GNU/Linux system are free software; > the exact distribution terms for each program are described in the > individual files in /usr/share/doc/*/copyright. > > Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent > permitted by applicable law. > > If I run 'id' I get this: > > rowland at testdm12:~$ id rowland at samdom.example.com > uid=11104(rowland) gid=10513(domain users) groups=10513(domain > users),11104(rowland),10512(domain admins),10572(denied rodc password > replication > group),12605(testgroup),3001(BUILTIN\users),3000(BUILTIN\administrators) > > and running 'ls' against my home directory gets this: > > rowland at testdm12:~$ ls -la /home/rowland > total 32 > drwxr-xr-x 3 rowland domain users 4096 Jun 17 12:12 . > drwxr-xr-x 4 root??? root???????? 4096 Jun 17 12:12 .. > -rw-r--r-- 1 rowland domain users? 220 Jun 17 12:12 .bash_logout > -rw-r--r-- 1 rowland domain users 3526 Jun 17 12:12 .bashrc > drwx------ 3 rowland domain users 4096 Jun 17 12:12 .config > -rw-r--r-- 1 rowland domain users 5290 Jun 17 12:12 .face > lrwxrwxrwx 1 rowland domain users??? 5 Jun 17 12:12 .face.icon -> .face > -rw-r--r-- 1 rowland domain users? 807 Jun 17 12:12 .profile > > No 'DOMAIN' anywhere. > > Rowland > >-------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20230618/e2747dd9/OpenPGP_signature.sig>