Marco Gaiarin
2025-Nov-14 16:43 UTC
[Samba] [Repost] PAM, Winbind, SSH and 'require_membership_of' in a forest...
Mandi! Marco Gaiarin In chel di` si favelave...>> To get AllowGroups to work, you mast set "winbind expand groups =1" if you are using nested groups increase the number. > I'll give it a try, thanks Stefan.No, seems not so simple to me. Current smb.conf: [global] kerberos method = secrets and keytab realm = TRE.MYDOMAIN.REDACTED security = ADS template shell = /bin/bash winbind refresh tickets = Yes winbind use default domain = Yes workgroup = MYDOMAIN_TRE idmap config * : range = 5000 - 9999 idmap config mydomain_qua : backend = rid idmap config mydomain_qua : range = 700000 - 749999 idmap config mydomain_tre : unix_primary_group = yes idmap config mydomain_tre : backend = rid idmap config mydomain_tre : range = 500000 - 549999 idmap config mydomain_due : backend = rid idmap config mydomain_due : range = 300000 - 349999 idmap config mydomain_uno : backend = rid idmap config mydomain_uno : range = 10000 - 99999 idmap config mydomain : range = 2000000-2999999 idmap config mydomain : backend = rid idmap config * : backend = tdb No smbd running,only winbind. Every modification was done restarting winbind and doing two times 'net cache flush'. [root at svoltest1 ~]# id "myadmin" uid=501108(myadmin) gid=500513(domain users) gruppi=500513(domain users),501108(myadmin),502108(tre_server_login_admins),500572(denied rodc password replication group),303336(MYDOMAIN_DUE\due_ad_domain_admin),702605(MYDOMAIN_QUA\qua_ad_domain_admin),2001241(MYDOMAIN\mydomain_admin_laps),301743(MYDOMAIN_DUE\due_ad_admin),2001625(MYDOMAIN\mydomain_pc_admins),2001195(MYDOMAIN\mydomain_wiki_admins),501413(tre_ad_admin),701483(MYDOMAIN_QUA\qua_ad_admin),13389(MYDOMAIN_LOM\bp_xnat),2001206(MYDOMAIN\mydomain_bacula_admins),500512(domain admins) If i add, to give it a try: winbind enum groups = Yes winbind enum users = Yes i obtain: [root at svoltest1 ~]# id "myadmin" uid=501108(myadmin) gid=500513(domain users) gruppi=500513(domain users),501108(myadmin),502108(tre_server_login_admins),500572(denied rodc password replication group),303336(MYDOMAIN_DUE\due_ad_domain_admin),702605(MYDOMAIN_QUA\qua_ad_domain_admin),2001241(MYDOMAIN\mydomain_admin_laps),301743(MYDOMAIN_DUE\due_ad_admin),2001625(MYDOMAIN\mydomain_pc_admins),2001195(MYDOMAIN\mydomain_wiki_admins),501413(tre_ad_admin),701483(MYDOMAIN_QUA\qua_ad_admin),13389(MYDOMAIN_LOM\bp_xnat),2001206(MYDOMAIN\mydomain_bacula_admins),500512(domain admins) (exactly the same); if i remove the 'enum' lines above and add: winbind expand groups = 2 i obtain: [root at svoltest1 ~]# id "myadmin" uid=501108(myadmin) gid=500513(domain users) gruppi=500513(domain users),501108(myadmin),502108(tre_server_login_admins),500572,303336,702605,2001241,301743,2001625,2001195,501413(tre_ad_admin),701483,13389,2001206,500512(domain admins) so, the same memberships but with some unknown group. Anyway, all the trouble came from sshd, eg seems that if i do an 'id' group get enumerated correcly, but if i try to use 'AllowGroup' in sshd, sometimes group get not evaluated/cached, and so logon fail. Thanks. --
Rowland Penny
2025-Nov-15 10:04 UTC
[Samba] [Repost] PAM, Winbind, SSH and 'require_membership_of' in a forest...
On Fri, 14 Nov 2025 17:43:46 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Marco Gaiarin > In chel di` si favelave... > > >> To get AllowGroups to work, you mast set "winbind expand groups > >> =1" if you are using nested groups increase the number. > > I'll give it a try, thanks Stefan. > > No, seems not so simple to me. > > Current smb.conf: > [global] > kerberos method = secrets and keytab > realm = TRE.MYDOMAIN.REDACTED > security = ADS > template shell = /bin/bash > winbind refresh tickets = Yes > winbind use default domain = Yes > workgroup = MYDOMAIN_TRE > idmap config * : range = 5000 - 9999 > idmap config mydomain_qua : backend = rid > idmap config mydomain_qua : range = 700000 - 749999 > idmap config mydomain_tre : unix_primary_group = yes > idmap config mydomain_tre : backend = rid > idmap config mydomain_tre : range = 500000 - 549999 > idmap config mydomain_due : backend = rid > idmap config mydomain_due : range = 300000 - 349999 > idmap config mydomain_uno : backend = rid > idmap config mydomain_uno : range = 10000 - 99999 > idmap config mydomain : range = 2000000-2999999 > idmap config mydomain : backend = rid > idmap config * : backend = tdbFirst, you cannot use 'idmap config mydomain_tre : unix_primary_group yes' with the 'rid' backend, it is purely an idmap_ad setting. You also cannot use 'winbind use default domain = Yes' with your set up, you need to connect as the users 'MYDOMAIN_UNO\fred' or 'MYDOMAIN_TRE\fred' for instance. Rowland