kerberos auth account restrictions
James Peach
jpeach at samba.org
Wed Jun 13 19:27:57 GMT 2007
On Jun 13, 2007, at 11:06 AM, Volker Lendecke wrote:
> On Wed, Jun 13, 2007 at 11:04:03AM -0700, James Peach wrote:
>> Is there a good reason that we don't do this for Kerberos auth in
>> reply_spnego_kerberos()?
>
> Others (the DC) decide over that. When we look at the SAM,
> we're the boss. For Kerberos or sec=domain we don't even
> have that info.
Hmmm. In both these cases, smbd manually creates a struct samu from
the auth information without hitting the passdb backend. In the
Kerberos case, it only does this if PAC information was included.
The context of this is that I have a local account lockout mechanism
that I need to support and it needs to work for all auth types. If the
Kerberos auth path did a pdb_getsampwnam and checked ACB_AUTOLOCK,
then I could hide this all in my passdb module.
Do you have any suggestions how I could do this? I'd rather not add a
system-specific check into the main code path if I don't have to.
--
James Peach | jpeach at samba.org
More information about the samba-technical
mailing list