[Samba] [PATCH] Fix pam_winbind config parsing for require_membership_of
Andrew Bartlett
abartlet at samba.org
Mon Jan 6 19:50:13 MST 2014
On Mon, 2013-12-16 at 17:04 +1300, Garming Sam wrote:
> On 06/12/13 18:30, Garming Sam wrote:
>
> > On 29/11/13 20:27, Andrew Bartlett wrote:
> > > On Thu, 2013-11-28 at 22:17 +0000, Nathan Frankish wrote:
> > > > Hi David,
> > > >
> > > > I can and we will test that today. But I'm more concerned about
> > > > why PAM_WINBIND is authorizing the account (pam_sm_acct_mgmt
> > > > returning 0 (PAM_SUCCESS)).
> > > The require_membership_of stuff is handled in the authenticate
> > > hook, not
> > > the authorization hook at you would expect. The reason is that
> > > it's
> > > only on the password authentication hook that we get the
> > > authoritative
> > > source of information regarding the group memberships of the
> > > user.
> > >
> > > In many ways we have been caught out by a feature I added for
> > > ntlm_auth
> > > for squid (always password-based), that has spread, but not been
> > > clear
> > > about it's limitations.
> > >
> > > Patches to change the account module to reject this option would
> > > be very
> > > worthwhile, if possible.
> > >
> > > Andrew Bartlett
> > >
> >
> > Hi there,
> >
> > Just been working with Andrew on this. We've added code to reject
> > this configuration and we've altered the documentation to reflect
> > this change. The patches also changes handling of invalid
> > configuration files so that it should error out gracefully.
> >
> > Take care however, because if you have the require_membership_of in
> > the account line, then you may not be able to log in. Also, just be
> > careful that PAM modules are quite critical, if there is a fault in
> > the code we changed, you may need to get to single user mode to
> > remove pam_winbind from your configuration.
> >
> >
> > Cheers,
> >
> > Garming Sam
> >
> >
> >
>
> Just corrected my name in the commits. Are there any comments you can
> make? Otherwise, can it be reviewed and sent to master?
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Can I get a second team reviewer please?
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list