Andrew Bartlett
2021-Feb-11 01:55 UTC
[Samba] winbind require_membership_of not being checked with forwardable kerberos ticket
On Wed, 2021-02-10 at 20:28 -0500, Jason Keltz via samba wrote:> > I need winbind group membership check, but I also want to be able to > support forwardable tickets. Is that somehow circumventing the check > by > winbind? and if so, how would I resolve that?The winbind require_membership_of check is only made when locally authenticating users, eg by the winbindd process getting the password from pam_winbind. See also https://bugzilla.samba.org/show_bug.cgi?id=14622 Sorry! Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT - Expert Open Source Solutions https://catalyst.net.nz/services/samba
Jason Keltz
2021-Feb-11 02:30 UTC
[Samba] winbind require_membership_of not being checked with forwardable kerberos ticket
Andrew, Is there any way you can think of, even using an external module, where I can still control who can access which hosts? A solution that allows any user to get into any host will definately not work because I have a lot of different access control that needs to be preserved. This is probably something that should really be added to the pam_winbind manual page. Jason. PS: If anyone else has any ideas, feel free to mention because I'm in big trouble now. On 2/10/2021 8:55 PM, Andrew Bartlett via samba wrote:> On Wed, 2021-02-10 at 20:28 -0500, Jason Keltz via samba wrote: >> I need winbind group membership check, but I also want to be able to >> support forwardable tickets. Is that somehow circumventing the check >> by >> winbind? and if so, how would I resolve that? > The winbind require_membership_of check is only made when locally > authenticating users, eg by the winbindd process getting the password > from pam_winbind. > > See also https://bugzilla.samba.org/show_bug.cgi?id=14622 > > Sorry! > > Andrew Bartlett >