[Samba] winbind require_membership_of not being checked with forwardable kerberos ticket

Andrew Bartlett abartlet at samba.org
Thu Feb 11 01:55:33 UTC 2021

On Wed, 2021-02-10 at 20:28 -0500, Jason Keltz via samba wrote:
> I need winbind group membership check, but I also want to be able to 
> support forwardable tickets.  Is that somehow circumventing the check
> by 
> winbind? and if so, how would I resolve that?

The winbind require_membership_of check is only made when locally
authenticating users, eg by the winbindd process getting the password
from pam_winbind. 

See also https://bugzilla.samba.org/show_bug.cgi?id=14622


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list