[RFC] When require_membership_of parameter contains invalid groups, we should ignore the invlid groups instead of failing the authentication completely

boyang boyang at samba.org
Wed Oct 14 00:38:03 MDT 2009

    When require_membership_of parameter in pam_winbind contains invalid
groups, all users cannot login. Because authentication fails when it
cannot convert group name to sid.
    Should we continue with the group list ignoring the invalid ones?
For example:
    user A belongs to group B and C. group C is an invalid group.
    require_membership_of = B,C
    In this case, A cannot login. It might be better if we print a
warning message to indicate that some groups might be invalid.

    Patch for master is in the attachment.
    I am not sure whether this will incur other issues. :-) Please comment.

Bo Yang, Software Engineer, Suse Labs
GPG-key-ID   538C4C1A
Samba Team   boyang at samba.org    http://www.samba.org/
SUSE Linux   boyang at suse.de      http://www.novell.com/

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pam_winbind-require-membership-master.mbox
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091014/f50ee711/attachment.ksh>

More information about the samba-technical mailing list