Radically trim down winbind?
mcn4 at leicester.ac.uk
Fri Nov 4 21:26:34 UTC 2016
On Fri, Nov 04, 2016 at 03:06:53PM +0100, Volker Lendecke wrote:
> wbcCtxGetGroups is good assuming you have successfully used
> wbcAuthenticateUser[Ex] before for that user. That's the point of
> doing it correctly when we have a netsamlogon_cache.tdb entry.
> The problem with AD groups is their complexity. Global groups, domain
> local groups, universal groups and who knows what other types of
> groups are very hard to get right.
People struggle with this with LDAP, so I'd hoped with the
winbindd lookup I'd got a nice way to get a flat list of all
groups (and that was what it seemed like)... but I guess not ;-)
On Fri, Nov 04, 2016 at 03:12:46PM +0100, Stefan Metzmacher wrote:
> Basically you need to translated the group name into a sid,
> using wbcCtxLookupName().
> Then do the authentication using wbcCtxAuthenticateUserEx()
> wbcAuthUserInfo->sids needs to be checked for the requested sids.
Thanks both! That's really useful.
I'll have to stare at it hard and see if there's a good way to
update my code (the Authentication in FreeRADIUS isn't directly
linked to Authorization, so if this is to work then I need to make
sure the auth has happened first). But at least I'm now aware
there is an issue.
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the samba-technical