mod_ntlm_winbind question
Andrew Bartlett
abartlet at samba.org
Thu Sep 30 21:51:07 GMT 2004
On Fri, 2004-10-01 at 07:40, Eric Ladner wrote:
> Do you think it would be possible to modify this module to provide group
> authentication capabilities?
>
> For example, to allow members of an NT group to be passed through, something
> like so:
>
> blah blah...
> NTLMGroup SomeNTGroup SomeOtherNtGroup
> Require valid-user
>
> That way, anybody who is a member of those two groups would get through without
> noticing the authentication, but anyone else is blocked.
>
> I think the smbauth mod does this, but it lacks the NTLM part for transparent
> authentication.
There are two ways this is solved.
The first is the '--require-membership-of' hack. This is an option to
ntlm_auth, which causes the *authentication* to fail if the user isn't
in a particular group. The idea is to avoid putting 'administrator' in
this group, and therefore avoid some of the security implications of
unlimited attacks on the admin password.
I have discussed here before extensions to ntlm_auth to make it return
user groups, for use in the authorization stage, and this in turn could
be hooked into such an Apache option.
I'll happily take patches, otherwise I'll add it to the list (please
file a bug against ntlm_auth).
Thanks,
Andrew Bartlett
--
Andrew Bartlett abartlet at samba.org
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20041001/d4e70fcb/attachment.bin
More information about the samba-technical
mailing list