'force user' broken for winbind users?

todd stecher tstecher at isilon.com
Fri Jan 13 19:18:59 GMT 2006

On Fri, 2006-01-13 at 20:30 +1100, Andrew Bartlett wrote:
> On Thu, 2006-01-12 at 23:25 +0100, Volker Lendecke wrote:
> > Hi!
> > 
> > Looking at the group membership functions a bit closer I came across the force
> > user code. Depending on the Windows versions it is impossible to reliably
> > figure out the groups a user is member of without actually logging in. So
> > consequentially force user = winbind-user is bound to fail sooner or later.
> > force group might be ok, this just sets the primary group. But force user not
> > only sets the uid but also the list of groups the forced user is in.
> I don't see this as just an issue with 'force user', but any application
> that does a login without a password or submitting the PAC to winbindd.
> So, the same problem occours with a key-based or kerberoized SSH login,
> or a su to a user.
> There was comment on this list a couple of months ago about some way to
> get a PAC from windows with a faked up ticket, perhaps that is where we
> need to look?
> Andrew Bartlett

If you have a TGT, you should be able to use the User2User protocol to
get a service ticket to yourself (use the UPN or just the username as
the target).  From there, its a simple matter of decrypting the ticket
and extracting the PAC.

Todd Stecher

More information about the samba-technical mailing list