[Samba] winbind require_membership_of not being checked with forwardable kerberos ticket
Jason Keltz
jas at eecs.yorku.ca
Thu Feb 11 01:28:12 UTC 2021
I'm using winbind require_membership_of to restrict access to systems to
users in a particular group.
Let's say I have a system "a", and to login to that system, you have to
be in group "a".
I also have a system "b", and to login to that system, you have to be in
group "b".
I have "forwardable=true" in /etc/krb5.conf.
I'm logged into system "a" as a user in group "a" but NOT group "b". I
can *successfully* ssh to system b (!!!).
On the other hand, if I "kdestroy" my ticket first, THEN I try to ssh to
system b, I get asked for my password on system b, and winbind group
membership check will stop me from logging in.
I need winbind group membership check, but I also want to be able to
support forwardable tickets. Is that somehow circumventing the check by
winbind? and if so, how would I resolve that?
Jason.
More information about the samba
mailing list