'force user' broken for winbind users?

Andrew Bartlett abartlet at samba.org
Fri Jan 13 09:30:47 GMT 2006

On Thu, 2006-01-12 at 23:25 +0100, Volker Lendecke wrote:
> Hi!
> Looking at the group membership functions a bit closer I came across the force
> user code. Depending on the Windows versions it is impossible to reliably
> figure out the groups a user is member of without actually logging in. So
> consequentially force user = winbind-user is bound to fail sooner or later.
> force group might be ok, this just sets the primary group. But force user not
> only sets the uid but also the list of groups the forced user is in.

I don't see this as just an issue with 'force user', but any application
that does a login without a password or submitting the PAC to winbindd.

So, the same problem occours with a key-based or kerberoized SSH login,
or a su to a user.

There was comment on this list a couple of months ago about some way to
get a PAC from windows with a faked up ticket, perhaps that is where we
need to look?

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060113/751580e5/attachment.bin

More information about the samba-technical mailing list