Rowland penny
2021-Jun-06 11:17 UTC
[Samba] Winbind - Login succeeds while password is expired (set with --must-change-at-next-login)
On 06/06/2021 12:02, Kees van Vloten wrote:> On 06-06-2021 12:52, Rowland penny via samba wrote: >> On 06/06/2021 11:20, Kees van Vloten wrote: >>> >>> The problem is not on the DC, users do not login there. >>> There are some member-servers that do need domain-user logins, e.g. >>> over ssh. >>> >>> I have already found out that sssd is not good to maintain the >>> computer-account password, does not support ntlm and really want the >>> same tool for id-mapping everywhere. Since that is winbind on the DC >>> and on the SMB-fileserver, the idea is to use it on other member >>> servers for NSS as well. >>> >>> However due to https://bugzilla.samba.org/show_bug.cgi?id=14622 >>> pam-winbind is not the right tool for user logins. I tried pam-sss >>> instead with good results. >>> >>> That's the background. >>> - Would pam-sss + winbind for NSS work on a member-server? >> >> >> Probably, possibly, but you only get authentication, so you might >> just as well use sssd by itself. If you want shares, then you really >> need the full Samba stack. >> > Not really, as it does not update the computer-account pw after 30 > days automatically. That is why I want the computer-account to be > maintained by winbind.There you go, yet another reason not to use sssd, it has been that long since I used sssd, so I was unaware of that.>> >>> - Does the combination nslcd, pam, ldap provide the users with a >>> kerberos ticket? >> >> It has been sometime since I used nslcd, but I believe so. >> >> Of course it would be so much better if that bug was fixed, it is (in >> my opinion) a security bug, disabled users or users with expired >> passwords should not be able to login by any method. >> >> Rowland >> >> >> >> >> > I agree with you that this a security bug, the whole idea of expiring > is that they do not get access without changing their pw. > Is there anything that can be done to get the bug 14622 labelled as a > security issue? > > For me pam-winbind would be the preferred solution because it > simplifies the setup, less software is better :-)Okay Andrew, why isn't this a security problem ?? Rowland