'force user' broken for winbind users?
Andrew Bartlett
abartlet at samba.org
Fri Jan 13 10:01:23 GMT 2006
On Fri, 2006-01-13 at 10:51 +0100, Volker Lendecke wrote:
> On Fri, Jan 13, 2006 at 08:30:47PM +1100, Andrew Bartlett wrote:
> > I don't see this as just an issue with 'force user', but any application
> > that does a login without a password or submitting the PAC to winbindd.
> >
> > So, the same problem occours with a key-based or kerberoized SSH login,
> > or a su to a user.
>
> True. But the question is: What can we do about it?
>
> > There was comment on this list a couple of months ago about some way to
> > get a PAC from windows with a faked up ticket, perhaps that is where we
> > need to look?
>
> Weird example: We're member of a NT4 (or Samba) domain that trusts highly
> tightened AD. No way to get the grouplist for a user.
Ouch. How much do we see the NT4 domain case? If it is just Samba, can
we add some of our own DCE/RPC and move to using kerberos on the Samba
DC->remote trust link?
> I know I'm constructing artificial examples here, but for this security
> sensitive area I want to at least *know* where we stand and what we can
> reliably do. And at the moment to me it seems that we're rather screwed if
> winbind is not involved in the authentication process.
Indeed! This area has been too wishy-washy in past.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060113/d2cd19f8/attachment.bin
More information about the samba-technical
mailing list