Jason Keltz
2021-Feb-11 01:28 UTC
[Samba] winbind require_membership_of not being checked with forwardable kerberos ticket
I'm using winbind require_membership_of to restrict access to systems to users in a particular group. Let's say I have a system "a", and to login to that system, you have to be in group "a". I also have a system "b", and to login to that system, you have to be in group "b". I have "forwardable=true" in /etc/krb5.conf. I'm logged into system "a" as a user in group "a" but NOT group "b".? I can *successfully* ssh to system b (!!!). On the other hand, if I "kdestroy" my ticket first, THEN I try to ssh to system b, I get asked for my password on system b, and winbind group membership check will stop me from logging in. I need winbind group membership check, but I also want to be able to support forwardable tickets.? Is that somehow circumventing the check by winbind? and if so, how would I resolve that? Jason.
Andrew Bartlett
2021-Feb-11 01:55 UTC
[Samba] winbind require_membership_of not being checked with forwardable kerberos ticket
On Wed, 2021-02-10 at 20:28 -0500, Jason Keltz via samba wrote:> > I need winbind group membership check, but I also want to be able to > support forwardable tickets. Is that somehow circumventing the check > by > winbind? and if so, how would I resolve that?The winbind require_membership_of check is only made when locally authenticating users, eg by the winbindd process getting the password from pam_winbind. See also https://bugzilla.samba.org/show_bug.cgi?id=14622 Sorry! Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT - Expert Open Source Solutions https://catalyst.net.nz/services/samba