[Samba] Winbind - Login succeeds while password is expired (set with --must-change-at-next-login)
rpenny at samba.org
Sun Jun 6 11:17:05 UTC 2021
On 06/06/2021 12:02, Kees van Vloten wrote:
> On 06-06-2021 12:52, Rowland penny via samba wrote:
>> On 06/06/2021 11:20, Kees van Vloten wrote:
>>> The problem is not on the DC, users do not login there.
>>> There are some member-servers that do need domain-user logins, e.g.
>>> over ssh.
>>> I have already found out that sssd is not good to maintain the
>>> computer-account password, does not support ntlm and really want the
>>> same tool for id-mapping everywhere. Since that is winbind on the DC
>>> and on the SMB-fileserver, the idea is to use it on other member
>>> servers for NSS as well.
>>> However due to https://bugzilla.samba.org/show_bug.cgi?id=14622
>>> pam-winbind is not the right tool for user logins. I tried pam-sss
>>> instead with good results.
>>> That's the background.
>>> - Would pam-sss + winbind for NSS work on a member-server?
>> Probably, possibly, but you only get authentication, so you might
>> just as well use sssd by itself. If you want shares, then you really
>> need the full Samba stack.
> Not really, as it does not update the computer-account pw after 30
> days automatically. That is why I want the computer-account to be
> maintained by winbind.
There you go, yet another reason not to use sssd, it has been that long
since I used sssd, so I was unaware of that.
>>> - Does the combination nslcd, pam, ldap provide the users with a
>>> kerberos ticket?
>> It has been sometime since I used nslcd, but I believe so.
>> Of course it would be so much better if that bug was fixed, it is (in
>> my opinion) a security bug, disabled users or users with expired
>> passwords should not be able to login by any method.
> I agree with you that this a security bug, the whole idea of expiring
> is that they do not get access without changing their pw.
> Is there anything that can be done to get the bug 14622 labelled as a
> security issue?
> For me pam-winbind would be the preferred solution because it
> simplifies the setup, less software is better :-)
Okay Andrew, why isn't this a security problem ??
More information about the samba