Jason Keltz
2021-Feb-11 02:30 UTC
[Samba] winbind require_membership_of not being checked with forwardable kerberos ticket
Andrew, Is there any way you can think of, even using an external module, where I can still control who can access which hosts? A solution that allows any user to get into any host will definately not work because I have a lot of different access control that needs to be preserved. This is probably something that should really be added to the pam_winbind manual page. Jason. PS: If anyone else has any ideas, feel free to mention because I'm in big trouble now. On 2/10/2021 8:55 PM, Andrew Bartlett via samba wrote:> On Wed, 2021-02-10 at 20:28 -0500, Jason Keltz via samba wrote: >> I need winbind group membership check, but I also want to be able to >> support forwardable tickets. Is that somehow circumventing the check >> by >> winbind? and if so, how would I resolve that? > The winbind require_membership_of check is only made when locally > authenticating users, eg by the winbindd process getting the password > from pam_winbind. > > See also https://bugzilla.samba.org/show_bug.cgi?id=14622 > > Sorry! > > Andrew Bartlett >
Andrew Bartlett
2021-Feb-11 02:49 UTC
[Samba] winbind require_membership_of not being checked with forwardable kerberos ticket
I know it is not popular to mention sssd around here, but that project has had a lot more emphasis on this kind of thing so perhaps look into the options there. Andrew Bartlett On Wed, 2021-02-10 at 21:30 -0500, Jason Keltz wrote:> Andrew, > > Is there any way you can think of, even using an external module, > where > I can still control who can access which hosts? > > A solution that allows any user to get into any host will definately > not > work because I have a lot of different access control that needs to > be > preserved. > > This is probably something that should really be added to the > pam_winbind manual page. > > Jason. > > PS: If anyone else has any ideas, feel free to mention because I'm > in > big trouble now. > > On 2/10/2021 8:55 PM, Andrew Bartlett via samba wrote: > > On Wed, 2021-02-10 at 20:28 -0500, Jason Keltz via samba wrote: > > > I need winbind group membership check, but I also want to be able > > > to > > > support forwardable tickets. Is that somehow circumventing the > > > check > > > by > > > winbind? and if so, how would I resolve that? > > The winbind require_membership_of check is only made when locally > > authenticating users, eg by the winbindd process getting the > > password > > from pam_winbind. > > > > See also https://bugzilla.samba.org/show_bug.cgi?id=14622 > > > > Sorry! > > > > Andrew Bartlett > >-- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions