Having a system with nss_winbind and pam_winbind and ssh with public key authentication, a user can still log in with the pub key even if his account in AD is disabled, locked or expired. There is no way to configure pam_winbind to do this right. PAM and openssh allow to to this. SSSD can do this actually perfectly correct, simply with this pam config line in the ssh pam config file: account [default=bad success=ok user_unknown=ignore] pam_sss.so pam_winbind doesn't offer any pam "account" feature currently, I found this branch from Andrew, which stated to add pam account support: https://git.samba.org/?p=abartlet/samba.git/.git;a=commitdiff;h=2c71a9cf1705e217ead8c903c0d31ca9e32df1fc
logonHours should also be checked
Wow, that is a blast from the past. I remember that! Assuming everything we need is in the PAC (logonHours?), ideally we would do a S4U2Self and then confirm the details from there, either by the fact that the request is denied or (if offline) that the info from the last saved PAC tells us. That way any other KDC-side restrictions would also be honoured.
it's not just logonHours that we need, we generally need the "account" pam feature first. That will allow us to evaluate if an account is disabled, expired, locked or if logonHours deny access.
I totally agree. I was just wondering out loud if the logonHours part could be done based on the PAC (it can't), so I think an online check or a different cache will be required for that.
Andrew, can you have a look if you can get your patches working for current master again? It would be great if we could get the pam_winbind module support those account features that are actually quite importanat for people using pam_winbind actively.
I'm sorry, I don't have any capacity or specific interest in taking this up. Happy to advise, review etc, but I won't be the implementer here. Sorry, Andrew Bartlett