[Samba] [PATCH] Fix pam_winbind config parsing for require_membership_of

Garming Sam garming at catalyst.net.nz
Sun Dec 15 21:04:37 MST 2013 

On 06/12/13 18:30, Garming Sam wrote:
> On 29/11/13 20:27, Andrew Bartlett wrote:
>> On Thu, 2013-11-28 at 22:17 +0000, Nathan Frankish wrote:
>>> Hi David,
>>>
>>> I can and we will test that today. But I'm more concerned about why 
>>> PAM_WINBIND is authorizing the account (pam_sm_acct_mgmt returning 0 
>>> (PAM_SUCCESS)).
>> The require_membership_of stuff is handled in the authenticate hook, not
>> the authorization hook at you would expect.  The reason is that it's
>> only on the password authentication hook that we get the authoritative
>> source of information regarding the group memberships of the user.
>>
>> In many ways we have been caught out by a feature I added for ntlm_auth
>> for squid (always password-based), that has spread, but not been clear
>> about it's limitations.
>>
>> Patches to change the account module to reject this option would be very
>> worthwhile, if possible.
>>
>> Andrew Bartlett
>>
>
> Hi there,
>
> Just been working with Andrew on this. We've added code to reject this 
> configuration and we've altered the documentation to reflect this 
> change. The patches also changes handling of invalid configuration 
> files so that it should error out gracefully.
>
> Take care however, because if you have the require_membership_of in 
> the account line, then you may not be able to log in.  Also, just be 
> careful that PAM modules are quite critical, if there is a fault in 
> the code we changed, you may need to get to single user mode to remove 
> pam_winbind from your configuration.
>
>
> Cheers,
>
> Garming Sam
>
>
>

Just corrected my name in the commits. Are there any comments you can 
make? Otherwise, can it be reviewed and sent to master?


Thanks,

Garming Sam
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-pam_winbind-Fix-segfault-caused-by-invalid-configura.patch
Type: text/x-patch
Size: 1700 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131216/25ea2122/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-pam_winbind-Do-not-honour-require_membership_of-in-t.patch
Type: text/x-patch
Size: 8148 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131216/25ea2122/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Revert-pam_winbind-fix-segfault-in-pam_sm_authentica.patch
Type: text/x-patch
Size: 981 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131216/25ea2122/attachment-0002.bin>

More information about the samba-technical mailing list