Andrew Bartlett
2021-Feb-11 02:49 UTC
[Samba] winbind require_membership_of not being checked with forwardable kerberos ticket
I know it is not popular to mention sssd around here, but that project has had a lot more emphasis on this kind of thing so perhaps look into the options there. Andrew Bartlett On Wed, 2021-02-10 at 21:30 -0500, Jason Keltz wrote:> Andrew, > > Is there any way you can think of, even using an external module, > where > I can still control who can access which hosts? > > A solution that allows any user to get into any host will definately > not > work because I have a lot of different access control that needs to > be > preserved. > > This is probably something that should really be added to the > pam_winbind manual page. > > Jason. > > PS: If anyone else has any ideas, feel free to mention because I'm > in > big trouble now. > > On 2/10/2021 8:55 PM, Andrew Bartlett via samba wrote: > > On Wed, 2021-02-10 at 20:28 -0500, Jason Keltz via samba wrote: > > > I need winbind group membership check, but I also want to be able > > > to > > > support forwardable tickets. Is that somehow circumventing the > > > check > > > by > > > winbind? and if so, how would I resolve that? > > The winbind require_membership_of check is only made when locally > > authenticating users, eg by the winbindd process getting the > > password > > from pam_winbind. > > > > See also https://bugzilla.samba.org/show_bug.cgi?id=14622 > > > > Sorry! > > > > Andrew Bartlett > >-- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
Jason Keltz
2021-Feb-11 02:56 UTC
[Samba] winbind require_membership_of not being checked with forwardable kerberos ticket
I'm sure that SSSD would? likely work, and that's where I started off my experiments months ago until I was told not to expect compatibility between SSSD on client and Samba on server since SSSD is apparently tested against real Windows AD controlers, and not Samba.? If only that compatibility was "pretty much" guaranteed I wouldn't mind focusing on Samba on the server, and SSSD on the clients. One other option it seems is pam_access.? It's not clear why pam_access should be able to restrict based on group (even when SSH certificates are involved) when pam_winbind can't.? If that works, it might be a workable solution. Jason. On 2/10/2021 9:49 PM, Andrew Bartlett via samba wrote:> I know it is not popular to mention sssd around here, but that project > has had a lot more emphasis on this kind of thing so perhaps look into > the options there. > > Andrew Bartlett > > On Wed, 2021-02-10 at 21:30 -0500, Jason Keltz wrote: >> Andrew, >> >> Is there any way you can think of, even using an external module, >> where >> I can still control who can access which hosts? >> >> A solution that allows any user to get into any host will definately >> not >> work because I have a lot of different access control that needs to >> be >> preserved. >> >> This is probably something that should really be added to the >> pam_winbind manual page. >> >> Jason. >> >> PS: If anyone else has any ideas, feel free to mention because I'm >> in >> big trouble now. >> >> On 2/10/2021 8:55 PM, Andrew Bartlett via samba wrote: >>> On Wed, 2021-02-10 at 20:28 -0500, Jason Keltz via samba wrote: >>>> I need winbind group membership check, but I also want to be able >>>> to >>>> support forwardable tickets. Is that somehow circumventing the >>>> check >>>> by >>>> winbind? and if so, how would I resolve that? >>> The winbind require_membership_of check is only made when locally >>> authenticating users, eg by the winbindd process getting the >>> password >>> from pam_winbind. >>> >>> See also https://bugzilla.samba.org/show_bug.cgi?id=14622 >>> >>> Sorry! >>> >>> Andrew Bartlett >>>