pam_winbind and non password user authentication.

Andrew Bartlett abartlet at
Mon Aug 27 07:38:24 UTC 2018

On Sat, 2018-08-25 at 19:25 +0200, Maurizio Cimaschi via samba-
technical wrote:
> Dear Samba developers,
> the pam_winbind library has a configuration directive tha can be used to
> implement a SID (or name) based access control: "require_membership_of". The
> manpage states that the membership evaluation is only carried out during the
> "autentication" phase; but not checking the membership also under the
> "accounting" phase raises an issue for those applications that are configured
> to do non-password user authentication but still relay on the PAM stack to do
> proper "accounting" and "session" management.

> I apologize but I do not have the required skills to write a patch for this.

I added this feature (originally in ntlm_auth, for squid, then brough
to PAM by my fellow developers). 

The reason the check is where it is and only for authentication is only
after authentication do get reliably get the user's token, the list of
SIDs.  So while it was trivial and reliable to add at this point,
without a password we would need to use the Kerberos call S4U2Self,
potentially against a trusted domain.  This is much more complex than
just checking the SID list that has already been provided.

That is why there is the limitation.  Had it been trivial to do so, of
course it would have been added to the account stage (that is the
correct stage). 


Andrew Bartlett

Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list