kerberos auth account restrictions
Andrew Bartlett
abartlet at samba.org
Thu Jun 14 05:49:30 GMT 2007
On Wed, 2007-06-13 at 12:27 -0700, James Peach wrote:
> On Jun 13, 2007, at 11:06 AM, Volker Lendecke wrote:
>
> > On Wed, Jun 13, 2007 at 11:04:03AM -0700, James Peach wrote:
> >> Is there a good reason that we don't do this for Kerberos auth in
> >> reply_spnego_kerberos()?
> >
> > Others (the DC) decide over that. When we look at the SAM,
> > we're the boss. For Kerberos or sec=domain we don't even
> > have that info.
>
> Hmmm. In both these cases, smbd manually creates a struct samu from
> the auth information without hitting the passdb backend. In the
> Kerberos case, it only does this if PAC information was included.
>
> The context of this is that I have a local account lockout mechanism
> that I need to support and it needs to work for all auth types. If the
> Kerberos auth path did a pdb_getsampwnam and checked ACB_AUTOLOCK,
> then I could hide this all in my passdb module.
>
> Do you have any suggestions how I could do this? I'd rather not add a
> system-specific check into the main code path if I don't have to.
Write a PAM module? :-)
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
More information about the samba-technical
mailing list