[Samba] winbind require_membership_of not being checked with forwardable kerberos ticket

Andrew Bartlett abartlet at samba.org
Thu Feb 11 03:08:16 UTC 2021

On Wed, 2021-02-10 at 21:56 -0500, Jason Keltz wrote:
> One other option it seems is pam_access.  It's not clear why
> pam_access 
> should be able to restrict based on group (even when SSH
> certificates 
> are involved) when pam_winbind can't.  If that works, it might be a 
> workable solution.

That comes down to me.

The require_membership_of stuff is my fault.

The pam_winbind group checks are a (very useful!) hack built on another
hack I built for ntlm_auth, for Squid.  Compared with using Squid ACLs
and looking up group membership after successful authentication (which
is slow and error prone), it just made the authentication fail if the
included group list didn't match. 

Originally it even only worked with a SID, to make it really simple.

The full, expanded group list is obtained for free when we do an NTLM
or Kerberos login, so this was a quick and cheap way to solve that
particular problem.

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list