Radically trim down winbind?

Stefan Metzmacher metze at samba.org
Fri Nov 4 14:12:46 UTC 2016 

Am 04.11.2016 um 14:35 schrieb Matthew Newton:
> Hi all,
> 
> On Fri, Nov 04, 2016 at 01:12:17PM +0100, Stefan Metzmacher wrote:
>>> While looking at problems with our winbindd_domain_list and trust
>>> enumeration I just had an idea: Just discard everything that can't
>>> reliably work. The two main things are:
> ...
>>> Thoughts? Too extreme?
>>
>> I'm happy to remove as much as we can :-)
>>
>> User administration just doesn't belong to winbindd.
> 
> Just so I can try and work out what you're planning :)
> 
> Earlier this year I wrote a new module for FreeRADIUS that permits
> checking group membership directly via winbindd. The "traditional"
> way of doing this is obviously via LDAP, but for a lot of setups
> where people aren't using LDAP already, but winbindd was already in
> use for authentication, it seemed nice to just use the existing
> setup.
> 
> The module calls wbcCtxGetGroups to get the group list for a
> username, and then enumerates each of them with wbcCtxGetgrgid.
> This seems to work for the cases I've heard of where people are
> using it.
> 
> I guess my questions are -
> 
>  - was this the wrong thing to do, i.e. is it so unreliable that
>    it could give incorrect values
> 
>  - is this about to break?
> 
>  - if so, is there a recommended way to do this via winbindd that
>    will continue to work?
> 
> Lots of people seem to get hung up on the correct LDAP
> configuration, so finding that groups were available via winbindd
> was a nice surprise and makes it easier for simpler setups. But
> obviously not if it doesn't reliably return the correct results.

Basically you need to translated the group name into a sid,
using wbcCtxLookupName().

Then do the authentication using wbcCtxAuthenticateUserEx()
wbcAuthUserInfo->sids needs to be checked for the requested sids.

wbcCtxLogonUser() takes a list of blobs, where you can pass
a "membership_of" blob. 'man pam_winbind' has:

 require_membership_of=[SID or NAME] If this option is set, pam_winbind
   will only succeed if the user is a member of the given SID or NAME. A
SID can
   be either a group-SID, an alias-SID or even an user-SID. It is also
possible to
   give a NAME instead of the SID. That name must have the form:
MYDOMAIN\\mygroup
   or MYDOMAIN\\myuser. pam_winbind will, in that case, lookup the SID
internally.
   Note that NAME may not contain any spaces. It is thus recommended to
only use
   SIDs. You can verify the list of SIDs a user is a member of with wbinfo
   --user-sids=SID.

   This option must only be specified on a auth module declaration, as
   it only operates in conjunction with password authentication.

I hope that helps.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161104/a1cb134f/signature.sig>

More information about the samba-technical mailing list