'force user' broken for winbind users?

Andrew Bartlett abartlet at samba.org
Fri Jan 13 10:01:23 GMT 2006

On Fri, 2006-01-13 at 10:51 +0100, Volker Lendecke wrote:
> On Fri, Jan 13, 2006 at 08:30:47PM +1100, Andrew Bartlett wrote:
> > I don't see this as just an issue with 'force user', but any application
> > that does a login without a password or submitting the PAC to winbindd.
> > 
> > So, the same problem occours with a key-based or kerberoized SSH login,
> > or a su to a user.
> True. But the question is: What can we do about it?
> > There was comment on this list a couple of months ago about some way to
> > get a PAC from windows with a faked up ticket, perhaps that is where we
> > need to look?
> Weird example: We're member of a NT4 (or Samba) domain that trusts highly
> tightened AD. No way to get the grouplist for a user.

Ouch.  How much do we see the NT4 domain case?  If it is just Samba, can
we add some of our own DCE/RPC and move to using kerberos on the Samba
DC->remote trust link?

> I know I'm constructing artificial examples here, but for this security
> sensitive area I want to at least *know* where we stand and what we can
> reliably do. And at the moment to me it seems that we're rather screwed if
> winbind is not involved in the authentication process.

Indeed!  This area has been too wishy-washy in past.  

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060113/d2cd19f8/attachment.bin

More information about the samba-technical mailing list