[Samba] winbind require_membership_of not being checked with forwardable kerberos ticket
abartlet at samba.org
Thu Feb 11 02:49:22 UTC 2021
I know it is not popular to mention sssd around here, but that project
has had a lot more emphasis on this kind of thing so perhaps look into
the options there.
On Wed, 2021-02-10 at 21:30 -0500, Jason Keltz wrote:
> Is there any way you can think of, even using an external module,
> I can still control who can access which hosts?
> A solution that allows any user to get into any host will definately
> work because I have a lot of different access control that needs to
> This is probably something that should really be added to the
> pam_winbind manual page.
> PS: If anyone else has any ideas, feel free to mention because I'm
> big trouble now.
> On 2/10/2021 8:55 PM, Andrew Bartlett via samba wrote:
> > On Wed, 2021-02-10 at 20:28 -0500, Jason Keltz via samba wrote:
> > > I need winbind group membership check, but I also want to be able
> > > to
> > > support forwardable tickets. Is that somehow circumventing the
> > > check
> > > by
> > > winbind? and if so, how would I resolve that?
> > The winbind require_membership_of check is only made when locally
> > authenticating users, eg by the winbindd process getting the
> > password
> > from pam_winbind.
> > See also https://bugzilla.samba.org/show_bug.cgi?id=14622
> > Sorry!
> > Andrew Bartlett
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
More information about the samba