Rowland Penny
2025-Nov-15 10:04 UTC
[Samba] [Repost] PAM, Winbind, SSH and 'require_membership_of' in a forest...
On Fri, 14 Nov 2025 17:43:46 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Marco Gaiarin > In chel di` si favelave... > > >> To get AllowGroups to work, you mast set "winbind expand groups > >> =1" if you are using nested groups increase the number. > > I'll give it a try, thanks Stefan. > > No, seems not so simple to me. > > Current smb.conf: > [global] > kerberos method = secrets and keytab > realm = TRE.MYDOMAIN.REDACTED > security = ADS > template shell = /bin/bash > winbind refresh tickets = Yes > winbind use default domain = Yes > workgroup = MYDOMAIN_TRE > idmap config * : range = 5000 - 9999 > idmap config mydomain_qua : backend = rid > idmap config mydomain_qua : range = 700000 - 749999 > idmap config mydomain_tre : unix_primary_group = yes > idmap config mydomain_tre : backend = rid > idmap config mydomain_tre : range = 500000 - 549999 > idmap config mydomain_due : backend = rid > idmap config mydomain_due : range = 300000 - 349999 > idmap config mydomain_uno : backend = rid > idmap config mydomain_uno : range = 10000 - 99999 > idmap config mydomain : range = 2000000-2999999 > idmap config mydomain : backend = rid > idmap config * : backend = tdbFirst, you cannot use 'idmap config mydomain_tre : unix_primary_group yes' with the 'rid' backend, it is purely an idmap_ad setting. You also cannot use 'winbind use default domain = Yes' with your set up, you need to connect as the users 'MYDOMAIN_UNO\fred' or 'MYDOMAIN_TRE\fred' for instance. Rowland
Marco Gaiarin
2025-Nov-18 21:46 UTC
[Samba] [Repost] PAM, Winbind, SSH and 'require_membership_of' in a forest...
Mandi! Rowland Penny via samba In chel di` si favelave...> First, you cannot use 'idmap config mydomain_tre : unix_primary_group > yes' with the 'rid' backend, it is purely an idmap_ad setting.Uh. Oh. Sorry. But anyway this output was taken (and redacted) from 'tesparm', so seems was considered...> You also cannot use 'winbind use default domain = Yes' with your set > up, you need to connect as the users 'MYDOMAIN_UNO\fred' or > 'MYDOMAIN_TRE\fred' for instance.No 'winbind use default domain = Yes' works as expected and it is not the source of trouble. After some testing the culprit seems to come from the forest (or other domain in the forest), so all works as expected until i use a group in the current forest. If i use in 'AllowGroup' a group not in current forest, authentication does not work, apart if i do a successful authentication and until i flush the groupmap. And this using username, username and domain, or the UPN: the result is the same (eg: does not work before a successful auth; work after that). --