[Samba] winbind require_membership_of not being checked with forwardable kerberos ticket
Andrew Bartlett
abartlet at samba.org
Thu Feb 11 02:49:22 UTC 2021
I know it is not popular to mention sssd around here, but that project
has had a lot more emphasis on this kind of thing so perhaps look into
the options there.
Andrew Bartlett
On Wed, 2021-02-10 at 21:30 -0500, Jason Keltz wrote:
> Andrew,
>
> Is there any way you can think of, even using an external module,
> where
> I can still control who can access which hosts?
>
> A solution that allows any user to get into any host will definately
> not
> work because I have a lot of different access control that needs to
> be
> preserved.
>
> This is probably something that should really be added to the
> pam_winbind manual page.
>
> Jason.
>
> PS: If anyone else has any ideas, feel free to mention because I'm
> in
> big trouble now.
>
> On 2/10/2021 8:55 PM, Andrew Bartlett via samba wrote:
> > On Wed, 2021-02-10 at 20:28 -0500, Jason Keltz via samba wrote:
> > > I need winbind group membership check, but I also want to be able
> > > to
> > > support forwardable tickets. Is that somehow circumventing the
> > > check
> > > by
> > > winbind? and if so, how would I resolve that?
> > The winbind require_membership_of check is only made when locally
> > authenticating users, eg by the winbindd process getting the
> > password
> > from pam_winbind.
> >
> > See also https://bugzilla.samba.org/show_bug.cgi?id=14622
> >
> > Sorry!
> >
> > Andrew Bartlett
> >
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the samba
mailing list