[Samba] SSH - Winbind and Keybased Auth
abartlet at samba.org
Fri Nov 29 00:27:33 MST 2013
On Thu, 2013-11-28 at 22:17 +0000, Nathan Frankish wrote:
> Hi David,
> I can and we will test that today. But I'm more concerned about why PAM_WINBIND is authorizing the account (pam_sm_acct_mgmt returning 0 (PAM_SUCCESS)).
The require_membership_of stuff is handled in the authenticate hook, not
the authorization hook at you would expect. The reason is that it's
only on the password authentication hook that we get the authoritative
source of information regarding the group memberships of the user.
In many ways we have been caught out by a feature I added for ntlm_auth
for squid (always password-based), that has spread, but not been clear
about it's limitations.
Patches to change the account module to reject this option would be very
worthwhile, if possible.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba