pam_winbind and non password user authentication.

[Andrew Bartlett]

On Sat, 2018-08-25 at 19:25 +0200, Maurizio Cimaschi via samba-
technical wrote:
> Dear Samba developers,
> the pam_winbind library has a configuration directive tha can be used to
> implement a SID (or name) based access control: "require_membership_of". The
> manpage states that the membership evaluation is only carried out during the
> "autentication" phase; but not checking the membership also under the
> "accounting" phase raises an issue for those applications that are configured
> to do non-password user authentication but still relay on the PAM stack to do
> proper "accounting" and "session" management.

> I apologize but I do not have the required skills to write a patch for this.

I added this feature (originally in ntlm_auth, for squid, then brough
to PAM by my fellow developers). 

The reason the check is where it is and only for authentication is only
after authentication do get reliably get the user's token, the list of
SIDs.  So while it was trivial and reliable to add at this point,
without a password we would need to use the Kerberos call S4U2Self,
potentially against a trusted domain.  This is much more complex than
just checking the SID list that has already been provided.

That is why there is the limitation.  Had it been trivial to do so, of
course it would have been added to the account stage (that is the
correct stage). 

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba