[PATCH] Fix pam_winbind config parsing for require_membership_of

Garming Sam garming at catalyst.net.nz
Thu Dec 5 22:30:27 MST 2013

On 29/11/13 20:27, Andrew Bartlett wrote:
> On Thu, 2013-11-28 at 22:17 +0000, Nathan Frankish wrote:
>> Hi David,
>> I can and we will test that today. But I'm more concerned about why PAM_WINBIND is authorizing the account (pam_sm_acct_mgmt returning 0 (PAM_SUCCESS)).
> The require_membership_of stuff is handled in the authenticate hook, not
> the authorization hook at you would expect.  The reason is that it's
> only on the password authentication hook that we get the authoritative
> source of information regarding the group memberships of the user.
> In many ways we have been caught out by a feature I added for ntlm_auth
> for squid (always password-based), that has spread, but not been clear
> about it's limitations.
> Patches to change the account module to reject this option would be very
> worthwhile, if possible.
> Andrew Bartlett

Hi there,

Just been working with Andrew on this. We've added code to reject this 
configuration and we've altered the documentation to reflect this 
change. The patches also changes handling of invalid configuration files 
so that it should error out gracefully.

Take care however, because if you have the require_membership_of in the 
account line, then you may not be able to log in.  Also, just be careful 
that PAM modules are quite critical, if there is a fault in the code we 
changed, you may need to get to single user mode to remove pam_winbind 
from your configuration.


Garming Sam

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-pam_winbind-Fix-segfault-caused-by-invalid-configura.patch
Type: text/x-patch
Size: 3418 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131206/610d8bdb/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-pam_winbind-Do-not-honour-require_membership_of-in-t.patch
Type: text/x-patch
Size: 6434 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131206/610d8bdb/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Revert-pam_winbind-fix-segfault-in-pam_sm_authentica.patch
Type: text/x-patch
Size: 923 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131206/610d8bdb/attachment-0002.bin>

More information about the samba-technical mailing list