pam_winbind and non password user authentication.
amitkuma at redhat.com
Mon Aug 27 07:33:17 UTC 2018
I believe this requires requisite amount of code addition/change. You
can open RFE here (https://bugzilla.samba.org/) if it does not exist.
But opinion from other Developers would be good...
On 08/25/2018 10:55 PM, Maurizio Cimaschi via samba-technical wrote:
> Dear Samba developers,
> the pam_winbind library has a configuration directive tha can be used to
> implement a SID (or name) based access control: "require_membership_of". The
> manpage states that the membership evaluation is only carried out during the
> "autentication" phase; but not checking the membership also under the
> "accounting" phase raises an issue for those applications that are configured
> to do non-password user authentication but still relay on the PAM stack to do
> proper "accounting" and "session" management.
> There are workarounds for this, for example by using the "pam_access" library.
> But this is not as effective as adding membership checking during the "account"
> phase because UNIX does not natively support nested groups and in the
> "access.conf" it is not possible to distinguish local from domain groups.
> Adding membership checking at the "accounting" and "session" phases will make
> writing configurations easier and more clear.
> If a user does not match membership checking (but it is otherwise valid),
> the library should return the "PAM_PERM_DENIED" code during the "accounting"
> phase and the "PAM_SESSION_ERR" code during the "session" phase.
> From a regression point of view, the "require_membership_of" directive is not
> used in phases others than "authentication"; the manpage says: "This option
> must only be specified on a auth module declaration". So there should not be
> impacts on existing installations which have followed manual's advice.
> I apologize but I do not have the required skills to write a patch for this.
> Would you please consider to broaden membership checking ?
> If you'd like to comment on this, please keep my address in CC because I'm not
> on the list. It will be appreciated.
> Thank you for your time and your previous work.
!!If you stumble, get back up.
What happened yesterday, no longer matters.
Today is another day to move closer to your GOAL!!
More information about the samba-technical