'force user' broken for winbind users?
todd stecher
tstecher at isilon.com
Fri Jan 13 19:18:59 GMT 2006
On Fri, 2006-01-13 at 20:30 +1100, Andrew Bartlett wrote:
> On Thu, 2006-01-12 at 23:25 +0100, Volker Lendecke wrote:
> > Hi!
> >
> > Looking at the group membership functions a bit closer I came across the force
> > user code. Depending on the Windows versions it is impossible to reliably
> > figure out the groups a user is member of without actually logging in. So
> > consequentially force user = winbind-user is bound to fail sooner or later.
> > force group might be ok, this just sets the primary group. But force user not
> > only sets the uid but also the list of groups the forced user is in.
>
> I don't see this as just an issue with 'force user', but any application
> that does a login without a password or submitting the PAC to winbindd.
>
> So, the same problem occours with a key-based or kerberoized SSH login,
> or a su to a user.
>
> There was comment on this list a couple of months ago about some way to
> get a PAC from windows with a faked up ticket, perhaps that is where we
> need to look?
>
> Andrew Bartlett
>
If you have a TGT, you should be able to use the User2User protocol to
get a service ticket to yourself (use the UPN or just the username as
the target). From there, its a simple matter of decrypting the ticket
and extracting the PAC.
Todd Stecher
More information about the samba-technical
mailing list