[Samba] winbind require_membership_of not being checked with forwardable kerberos ticket

Jason Keltz jas at eecs.yorku.ca
Thu Feb 11 02:56:50 UTC 2021 

I'm sure that SSSD would  likely work, and that's where I started off my 
experiments months ago until I was told not to expect compatibility 
between SSSD on client and Samba on server since SSSD is apparently 
tested against real Windows AD controlers, and not Samba.  If only that 
compatibility was "pretty much" guaranteed I wouldn't mind focusing on 
Samba on the server, and SSSD on the clients.

One other option it seems is pam_access.  It's not clear why pam_access 
should be able to restrict based on group (even when SSH certificates 
are involved) when pam_winbind can't.  If that works, it might be a 
workable solution.

Jason.

On 2/10/2021 9:49 PM, Andrew Bartlett via samba wrote:
> I know it is not popular to mention sssd around here, but that project
> has had a lot more emphasis on this kind of thing so perhaps look into
> the options there.
>
> Andrew Bartlett
>
> On Wed, 2021-02-10 at 21:30 -0500, Jason Keltz wrote:
>> Andrew,
>>
>> Is there any way you can think of, even using an external module,
>> where
>> I can still control who can access which hosts?
>>
>> A solution that allows any user to get into any host will definately
>> not
>> work because I have a lot of different access control that needs to
>> be
>> preserved.
>>
>> This is probably something that should really be added to the
>> pam_winbind manual page.
>>
>> Jason.
>>
>> PS: If anyone else has any ideas, feel free to mention because I'm
>> in
>> big trouble now.
>>
>> On 2/10/2021 8:55 PM, Andrew Bartlett via samba wrote:
>>> On Wed, 2021-02-10 at 20:28 -0500, Jason Keltz via samba wrote:
>>>> I need winbind group membership check, but I also want to be able
>>>> to
>>>> support forwardable tickets.  Is that somehow circumventing the
>>>> check
>>>> by
>>>> winbind? and if so, how would I resolve that?
>>> The winbind require_membership_of check is only made when locally
>>> authenticating users, eg by the winbindd process getting the
>>> password
>>> from pam_winbind.
>>>
>>> See also https://bugzilla.samba.org/show_bug.cgi?id=14622
>>>
>>> Sorry!
>>>
>>> Andrew Bartlett
>>>

More information about the samba mailing list