[Samba] winbind require_membership_of not being checked with forwardable kerberos ticket
Jason Keltz
jas at eecs.yorku.ca
Thu Feb 11 02:30:04 UTC 2021
Andrew,
Is there any way you can think of, even using an external module, where
I can still control who can access which hosts?
A solution that allows any user to get into any host will definately not
work because I have a lot of different access control that needs to be
preserved.
This is probably something that should really be added to the
pam_winbind manual page.
Jason.
PS: If anyone else has any ideas, feel free to mention because I'm in
big trouble now.
On 2/10/2021 8:55 PM, Andrew Bartlett via samba wrote:
> On Wed, 2021-02-10 at 20:28 -0500, Jason Keltz via samba wrote:
>> I need winbind group membership check, but I also want to be able to
>> support forwardable tickets. Is that somehow circumventing the check
>> by
>> winbind? and if so, how would I resolve that?
> The winbind require_membership_of check is only made when locally
> authenticating users, eg by the winbindd process getting the password
> from pam_winbind.
>
> See also https://bugzilla.samba.org/show_bug.cgi?id=14622
>
> Sorry!
>
> Andrew Bartlett
>
More information about the samba
mailing list