[Samba] SSH - Winbind and Keybased Auth

Andrew Bartlett abartlet at samba.org
Fri Nov 29 00:27:33 MST 2013

On Thu, 2013-11-28 at 22:17 +0000, Nathan Frankish wrote:
> Hi David,
> I can and we will test that today. But I'm more concerned about why PAM_WINBIND is authorizing the account (pam_sm_acct_mgmt returning 0 (PAM_SUCCESS)).

The require_membership_of stuff is handled in the authenticate hook, not
the authorization hook at you would expect.  The reason is that it's
only on the password authentication hook that we get the authoritative
source of information regarding the group memberships of the user. 

In many ways we have been caught out by a feature I added for ntlm_auth
for squid (always password-based), that has spread, but not been clear
about it's limitations. 

Patches to change the account module to reject this option would be very
worthwhile, if possible. 

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list