'force user' broken for winbind users?

Volker Lendecke Volker.Lendecke at SerNet.DE
Fri Jan 13 09:51:56 GMT 2006

On Fri, Jan 13, 2006 at 08:30:47PM +1100, Andrew Bartlett wrote:
> I don't see this as just an issue with 'force user', but any application
> that does a login without a password or submitting the PAC to winbindd.
> So, the same problem occours with a key-based or kerberoized SSH login,
> or a su to a user.

True. But the question is: What can we do about it?

> There was comment on this list a couple of months ago about some way to
> get a PAC from windows with a faked up ticket, perhaps that is where we
> need to look?

Weird example: We're member of a NT4 (or Samba) domain that trusts highly
tightened AD. No way to get the grouplist for a user.

I know I'm constructing artificial examples here, but for this security
sensitive area I want to at least *know* where we stand and what we can
reliably do. And at the moment to me it seems that we're rather screwed if
winbind is not involved in the authentication process.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060113/8ba6b2b0/attachment.bin

More information about the samba-technical mailing list