[PATCH] make 'required_membership_sid' accessible for pam_winbind

Andrew Bartlett abartlet at samba.org
Wed Jul 7 23:32:42 GMT 2004


On Thu, 2004-07-08 at 05:21, Guenther Deschner wrote:
> Hi,
> 
> since some time winbindd has code for honoring a group-sid to make successfull
> authentication dependent on group-membership. ntlm_auth uses this feature.
> attached is a quick patch that makes it accessible for pam_winbind as well.
> 
> This allows to configure:
> 
> auth sufficient pam_winbind.so  required_membership=S-1-5-21-3166309798-1443334765-3819889277-519
> 
> or even 
> 
> auth sufficient pam_winbind.so  required_membership=W2K3TEST\Organisations-Admins
> 
> in your pam-stack.
> 
> I'm a bit unsure though if the pam-auth-facility is the right place to add it. 

I think it's a great idea, and it's in exactly the right place.  (Well,
it belongs in account, but windows does not allow the two to be
separated).

I think it should be for all SIDs, not just domain groups - that allows
us to limit a login to exactly one user, if we wish.

Andrew Bartlett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040708/c59437cb/attachment.bin


More information about the samba-technical mailing list