[Samba] winbind require_membership_of not being checked with forwardable kerberos ticket

Jason Keltz jas at eecs.yorku.ca
Thu Feb 11 02:30:04 UTC 2021


Is there any way you can think of, even using an external module, where 
I can still control who can access which hosts?

A solution that allows any user to get into any host will definately not 
work because I have a lot of different access control that needs to be 

This is probably something that should really be added to the 
pam_winbind manual page.


PS: If anyone else has any ideas, feel free to mention because I'm in 
big trouble now.

On 2/10/2021 8:55 PM, Andrew Bartlett via samba wrote:
> On Wed, 2021-02-10 at 20:28 -0500, Jason Keltz via samba wrote:
>> I need winbind group membership check, but I also want to be able to
>> support forwardable tickets.  Is that somehow circumventing the check
>> by
>> winbind? and if so, how would I resolve that?
> The winbind require_membership_of check is only made when locally
> authenticating users, eg by the winbindd process getting the password
> from pam_winbind.
> See also https://bugzilla.samba.org/show_bug.cgi?id=14622
> Sorry!
> Andrew Bartlett

More information about the samba mailing list