pam_winbind and non password user authentication.

Amit amitkuma at redhat.com
Mon Aug 27 07:33:17 UTC 2018 

Hello,

I believe this requires requisite amount of code addition/change. You
can open RFE here (https://bugzilla.samba.org/) if it does not exist.
But opinion from other Developers would be good...

Thanks
Amit

On 08/25/2018 10:55 PM, Maurizio Cimaschi via samba-technical wrote:
> Dear Samba developers,
> the pam_winbind library has a configuration directive tha can be used to
> implement a SID (or name) based access control: "require_membership_of". The
> manpage states that the membership evaluation is only carried out during the
> "autentication" phase; but not checking the membership also under the
> "accounting" phase raises an issue for those applications that are configured
> to do non-password user authentication but still relay on the PAM stack to do
> proper "accounting" and "session" management.
>
> There are workarounds for this, for example by using the "pam_access" library.
> But this is not as effective as adding membership checking during the "account"
> phase because UNIX does not natively support nested groups and in the
> "access.conf" it is not possible to distinguish local from domain groups.
>
> Adding membership checking at the "accounting" and "session" phases will make
> writing configurations easier and more clear.
>
> If a user does not match membership checking (but it is otherwise valid),
> the library should return the "PAM_PERM_DENIED" code during the "accounting"
> phase and the "PAM_SESSION_ERR" code during the "session" phase.
>
> From a regression point of view, the "require_membership_of" directive is not
> used in phases others than "authentication"; the manpage says: "This option
> must only be specified on a auth module declaration". So there should not be
> impacts on existing installations which have followed manual's advice. 
>
> I apologize but I do not have the required skills to write a patch for this.
>
> Would you please consider to broaden membership checking ?
>
> If you'd like to comment on this, please keep my address in CC because I'm not
> on the list. It will be appreciated.
>
> Thank you for your time and your previous work.
>
> 	Regards.
>
>

-- 
Thanks
Amit Kumar
!!If you stumble, get back up. 
What happened yesterday, no longer matters.
Today is another day to move closer to your GOAL!!

More information about the samba-technical mailing list