samba - Nov 2025 - [Repost] PAM, Winbind, SSH and 'require_membership_of' in a forest...

To get AllowGroups to work, you mast set "winbind expand groups =1" if
you are using nested groups increase the number.


Am 10.11.25 um 12:06 schrieb Marco Gaiarin via samba:
> 
> [I retry... still no feedback... thanks...]
> 
> We need to setup some samba member servers (RH/Oracle Linux, but i think it
> does not matter too much...) joined to an MS AD forest (5 domains in
> forest).
> 
> We are trying to configure SSH access to server, and the first try was to
> use sshd_config 'AllowGroups', but we have found some sort of
'chicken and
> egg' trouble, so users have to had done a successful logon to have
group
> correctly enumerated and so be able to logon.
> 
> 
> A simple solution seems to NOT use 'AllowGroups' and add (in
> /etc/security/pam_winbind.conf or in pam_configuration, see later):
> 
>          require_membership_of=<our administration SID or group name>
> 
> looking at manpage seems to me that this parameters (even added in
> /etc/security/pam_winbind.conf) is taken into account only in
'password' PAM
> context, eg all group are taken into account for, eg, most notably
'session'
> PAM context.
> 
> 
> Anyway, i'm asking here if:
> 
> 1) this is the correct solution, or there's other solution for this
'chicken and
>   egg' trouble in group enumeration
> 
> 2) it is correct to add to 'require_membership_of' to
/etc/security/pam_winbind.conf
>   or it is preferable to add only to ssh pam configuration (clearly in
> 'password' context).
> 
> 
> Thanks.
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20251110/e6f37814/OpenPGP_signature.sig>

Mandi! Stefan Kania via samba
  In chel di` si favelave...
> To get AllowGroups to work, you mast set "winbind expand groups
=1" if you are using nested groups increase the number.
I'll give it a try, thanks Stefan.

--

Mandi! Stefan Kania via samba
  In chel di` si favelave...
> To get AllowGroups to work, you mast set "winbind expand groups
=1" if you are using nested groups increase the number.
I've tried some integer other then 1, but in current forest (see previous
messages) 'winbind expand groups = X' simply seems to broke group
resolution
in the forest, leading to strange result.

I've tried X as 1, 2 and 3. Same result.

--