Marco Gaiarin
2025-Nov-18 21:46 UTC
[Samba] [Repost] PAM, Winbind, SSH and 'require_membership_of' in a forest...
Mandi! Rowland Penny via samba In chel di` si favelave...> First, you cannot use 'idmap config mydomain_tre : unix_primary_group > yes' with the 'rid' backend, it is purely an idmap_ad setting.Uh. Oh. Sorry. But anyway this output was taken (and redacted) from 'tesparm', so seems was considered...> You also cannot use 'winbind use default domain = Yes' with your set > up, you need to connect as the users 'MYDOMAIN_UNO\fred' or > 'MYDOMAIN_TRE\fred' for instance.No 'winbind use default domain = Yes' works as expected and it is not the source of trouble. After some testing the culprit seems to come from the forest (or other domain in the forest), so all works as expected until i use a group in the current forest. If i use in 'AllowGroup' a group not in current forest, authentication does not work, apart if i do a successful authentication and until i flush the groupmap. And this using username, username and domain, or the UPN: the result is the same (eg: does not work before a successful auth; work after that). --
Rowland Penny
2025-Nov-19 09:43 UTC
[Samba] [Repost] PAM, Winbind, SSH and 'require_membership_of' in a forest...
On Tue, 18 Nov 2025 22:46:55 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > > First, you cannot use 'idmap config mydomain_tre : > > unix_primary_group = yes' with the 'rid' backend, it is purely an > > idmap_ad setting. > > Uh. Oh. Sorry. > > But anyway this output was taken (and redacted) from 'tesparm', so > seems was considered...For some reason, testparm does not parse the 'idmap config' lines and ignores them.> > > > You also cannot use 'winbind use default domain = Yes' with your set > > up, you need to connect as the users 'MYDOMAIN_UNO\fred' or > > 'MYDOMAIN_TRE\fred' for instance. > > No 'winbind use default domain = Yes' works as expected and it is not > the source of trouble.It might work has you expect, but doesn't work as you think. Lets take a username 'fred' that exists in 'DOMAIN_A' and 'DOMAIN_B', that is 'DOMAIN_A\fred' and 'DOMAIN_B\fred' Locally, both will be seen as 'fred', but: DOMAIN_A\fred is Fred Bloggs DOMAIN_B\fred is Fredrica Bloggs Obviously two different people.> > After some testing the culprit seems to come from the forest (or other > domain in the forest), so all works as expected until i use a group > in the current forest. > > If i use in 'AllowGroup' a group not in current forest, > authentication does not work, apart if i do a successful > authentication and until i flush the groupmap. > > > And this using username, username and domain, or the UPN: the result > is the same (eg: does not work before a successful auth; work after > that). >I would think (never having tried this) that the group would have to be a local Unix group. Rowland