[PATCH] make 'required_membership_sid' accessible for
pam_winbind
Andrew Bartlett
abartlet at samba.org
Wed Jul 7 23:32:42 GMT 2004
On Thu, 2004-07-08 at 05:21, Guenther Deschner wrote:
> Hi,
>
> since some time winbindd has code for honoring a group-sid to make successfull
> authentication dependent on group-membership. ntlm_auth uses this feature.
> attached is a quick patch that makes it accessible for pam_winbind as well.
>
> This allows to configure:
>
> auth sufficient pam_winbind.so required_membership=S-1-5-21-3166309798-1443334765-3819889277-519
>
> or even
>
> auth sufficient pam_winbind.so required_membership=W2K3TEST\Organisations-Admins
>
> in your pam-stack.
>
> I'm a bit unsure though if the pam-auth-facility is the right place to add it.
I think it's a great idea, and it's in exactly the right place. (Well,
it belongs in account, but windows does not allow the two to be
separated).
I think it should be for all SIDs, not just domain groups - that allows
us to limit a login to exactly one user, if we wish.
Andrew Bartlett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040708/c59437cb/attachment.bin
More information about the samba-technical
mailing list