pam_winbind and non password user authentication.

Maurizio Cimaschi mauri at
Sat Aug 25 17:25:37 UTC 2018

Dear Samba developers,
the pam_winbind library has a configuration directive tha can be used to
implement a SID (or name) based access control: "require_membership_of". The
manpage states that the membership evaluation is only carried out during the
"autentication" phase; but not checking the membership also under the
"accounting" phase raises an issue for those applications that are configured
to do non-password user authentication but still relay on the PAM stack to do
proper "accounting" and "session" management.

There are workarounds for this, for example by using the "pam_access" library.
But this is not as effective as adding membership checking during the "account"
phase because UNIX does not natively support nested groups and in the
"access.conf" it is not possible to distinguish local from domain groups.

Adding membership checking at the "accounting" and "session" phases will make
writing configurations easier and more clear.

If a user does not match membership checking (but it is otherwise valid),
the library should return the "PAM_PERM_DENIED" code during the "accounting"
phase and the "PAM_SESSION_ERR" code during the "session" phase.

>From a regression point of view, the "require_membership_of" directive is not
used in phases others than "authentication"; the manpage says: "This option
must only be specified on a auth module declaration". So there should not be
impacts on existing installations which have followed manual's advice. 

I apologize but I do not have the required skills to write a patch for this.

Would you please consider to broaden membership checking ?

If you'd like to comment on this, please keep my address in CC because I'm not
on the list. It will be appreciated.

Thank you for your time and your previous work.


More information about the samba-technical mailing list