[Samba] [PATCH] Fix pam_winbind config parsing for require_membership_of

Andrew Bartlett abartlet at samba.org
Mon Jan 6 19:50:13 MST 2014 

On Mon, 2013-12-16 at 17:04 +1300, Garming Sam wrote:
> On 06/12/13 18:30, Garming Sam wrote:
> 
> > On 29/11/13 20:27, Andrew Bartlett wrote: 
> > > On Thu, 2013-11-28 at 22:17 +0000, Nathan Frankish wrote: 
> > > > Hi David, 
> > > > 
> > > > I can and we will test that today. But I'm more concerned about
> > > > why PAM_WINBIND is authorizing the account (pam_sm_acct_mgmt
> > > > returning 0 (PAM_SUCCESS)). 
> > > The require_membership_of stuff is handled in the authenticate
> > > hook, not 
> > > the authorization hook at you would expect.  The reason is that
> > > it's 
> > > only on the password authentication hook that we get the
> > > authoritative 
> > > source of information regarding the group memberships of the
> > > user. 
> > > 
> > > In many ways we have been caught out by a feature I added for
> > > ntlm_auth 
> > > for squid (always password-based), that has spread, but not been
> > > clear 
> > > about it's limitations. 
> > > 
> > > Patches to change the account module to reject this option would
> > > be very 
> > > worthwhile, if possible. 
> > > 
> > > Andrew Bartlett 
> > > 
> > 
> > Hi there, 
> > 
> > Just been working with Andrew on this. We've added code to reject
> > this configuration and we've altered the documentation to reflect
> > this change. The patches also changes handling of invalid
> > configuration files so that it should error out gracefully. 
> > 
> > Take care however, because if you have the require_membership_of in
> > the account line, then you may not be able to log in.  Also, just be
> > careful that PAM modules are quite critical, if there is a fault in
> > the code we changed, you may need to get to single user mode to
> > remove pam_winbind from your configuration. 
> > 
> > 
> > Cheers, 
> > 
> > Garming Sam 
> > 
> > 
> > 
> 
> Just corrected my name in the commits. Are there any comments you can
> make? Otherwise, can it be reviewed and sent to master?

Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Can I get a second team reviewer please?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list