'force user' broken for winbind users?
Volker Lendecke
Volker.Lendecke at SerNet.DE
Fri Jan 13 09:51:56 GMT 2006
On Fri, Jan 13, 2006 at 08:30:47PM +1100, Andrew Bartlett wrote:
> I don't see this as just an issue with 'force user', but any application
> that does a login without a password or submitting the PAC to winbindd.
>
> So, the same problem occours with a key-based or kerberoized SSH login,
> or a su to a user.
True. But the question is: What can we do about it?
> There was comment on this list a couple of months ago about some way to
> get a PAC from windows with a faked up ticket, perhaps that is where we
> need to look?
Weird example: We're member of a NT4 (or Samba) domain that trusts highly
tightened AD. No way to get the grouplist for a user.
I know I'm constructing artificial examples here, but for this security
sensitive area I want to at least *know* where we stand and what we can
reliably do. And at the moment to me it seems that we're rather screwed if
winbind is not involved in the authentication process.
Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060113/8ba6b2b0/attachment.bin
More information about the samba-technical
mailing list