Bug 3578 - require_membership_of does not work
Summary: require_membership_of does not work
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.20b
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
Depends on:
Reported: 2006-03-03 09:25 UTC by Hari Sekhon
Modified: 2006-03-16 09:45 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Hari Sekhon 2006-03-03 09:25:48 UTC
   I've got domain authentication working successfully against a Windows 2000 Active Directory domain with winbind and kerberos on 2 linux boxes. Everything works, logins, samba shares, ssh. 

I've added something to the pam rules global/shared auth sections to stop any domain account that is not a member of the "domain admins" group from logging it. The line is:

auth    required        pam_winbind.so use_first_pass require_membership_of=S-1-5-21-xxxxxxxxx-551417010-xxxxxxxxxx-512

This is supposed to make sure that only user accounts that are members of the group that matches the SID (in this case the "domain admins" group) can log on. The test should return negative for domain user not a member of that domain group.

In samba 3.0.14a which is the current stable version on gentoo this works as expected, members of the group can log on and other domain users can't.

However, the exact same line on another box (suse) which is using samba 3.0.20b-3.1 does not work as expected and every domain user can still log on whether or not they are a member of the domain admins group.
Comment 1 Gerald (Jerry) Carter (dead mail address) 2006-03-16 07:44:08 UTC
This works fine for me.  Can you provide some more information?
Comment 2 Hari Sekhon 2006-03-16 09:34:41 UTC
ok, the box it was happening on has been wiped and I'm trying this on a new gentoo box with samba-3.0.21b which works as expected. I have no explanation for this so I should close this bug as invalid unless I can reproduce it which at present I cannot, but I was positive this didn't work with the samba on the suse box of the same version. perhaps suse patched something distro specific?
Comment 3 Guenther Deschner 2006-03-16 09:45:39 UTC
I permanently checked this in our package and it worked fine; so if it is still an issue for you, please reopen and send us some log level 10 debugging logs.