Hello once again,
I've got winbind doing authentication not just for the samba service but also sshd and
login. It's great. However, I have to give a fully-qualified username (e.g.
"GENEEDINC+chris.palmer") as the username when logging in via these methods. I
wondered, Is there any way to get winbindd to insert the domain and the separator for
the user, when none is provided?
I checked winbindd(8). There is $WINBINDD_DOMAIN, but my expectations about what it
provides appear to be wrong -- it's a security restriction and not a user-friendly
helper.
===
Client processes resolving names through the winbindd nss-
witch module read an environment variable named $WIN-
BINDD_DOMAIN. If this variable contains a comma separated
list of Windows NT domain names, then winbindd will only
resolve users and groups within those Windows NT domains.
===
Figuring sshd was the client of winbindd, I tried this:
===
# WINBINDD_DOMAIN=GENEEDINC sshd
# ssh -l chris.palmer localhost
chris.palmer@localhost's password:
Permission denied, please try again.
chris.palmer@localhost's password:
Permission denied, please try again.
chris.palmer@localhost's password:
Permission denied (publickey,password,keyboard-interactive).
===
The contents of /var/log/secure ("sshd[15753]: input_userauth_request: illegal user
chris.palmer") suggest that it didn't assume "GENEEDINC+" at the beginning of my
username like I'd hoped.
It'd be nice if there were an smb.conf option for [global] like "default winbind
domain = WHATEVER". Is there a plan to include such a feature in the future, or does
this feature exist and I just haven't found it?
Thanks again,
--
Chris Palmer Systems Programmer GeneEd
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
