Radically trim down winbind?
metze at samba.org
Fri Nov 4 14:12:46 UTC 2016
Am 04.11.2016 um 14:35 schrieb Matthew Newton:
> Hi all,
> On Fri, Nov 04, 2016 at 01:12:17PM +0100, Stefan Metzmacher wrote:
>>> While looking at problems with our winbindd_domain_list and trust
>>> enumeration I just had an idea: Just discard everything that can't
>>> reliably work. The two main things are:
>>> Thoughts? Too extreme?
>> I'm happy to remove as much as we can :-)
>> User administration just doesn't belong to winbindd.
> Just so I can try and work out what you're planning :)
> Earlier this year I wrote a new module for FreeRADIUS that permits
> checking group membership directly via winbindd. The "traditional"
> way of doing this is obviously via LDAP, but for a lot of setups
> where people aren't using LDAP already, but winbindd was already in
> use for authentication, it seemed nice to just use the existing
> The module calls wbcCtxGetGroups to get the group list for a
> username, and then enumerates each of them with wbcCtxGetgrgid.
> This seems to work for the cases I've heard of where people are
> using it.
> I guess my questions are -
> - was this the wrong thing to do, i.e. is it so unreliable that
> it could give incorrect values
> - is this about to break?
> - if so, is there a recommended way to do this via winbindd that
> will continue to work?
> Lots of people seem to get hung up on the correct LDAP
> configuration, so finding that groups were available via winbindd
> was a nice surprise and makes it easier for simpler setups. But
> obviously not if it doesn't reliably return the correct results.
Basically you need to translated the group name into a sid,
Then do the authentication using wbcCtxAuthenticateUserEx()
wbcAuthUserInfo->sids needs to be checked for the requested sids.
wbcCtxLogonUser() takes a list of blobs, where you can pass
a "membership_of" blob. 'man pam_winbind' has:
require_membership_of=[SID or NAME] If this option is set, pam_winbind
will only succeed if the user is a member of the given SID or NAME. A
be either a group-SID, an alias-SID or even an user-SID. It is also
give a NAME instead of the SID. That name must have the form:
or MYDOMAIN\\myuser. pam_winbind will, in that case, lookup the SID
Note that NAME may not contain any spaces. It is thus recommended to
SIDs. You can verify the list of SIDs a user is a member of with wbinfo
This option must only be specified on a auth module declaration, as
it only operates in conjunction with password authentication.
I hope that helps.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: OpenPGP digital signature
More information about the samba-technical