rlm_winbind and groups

Alan DeKok aland at deployingradius.com
Sat Nov 5 03:00:02 CET 2016


On Nov 4, 2016, at 5:33 PM, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> 
> So... it turns out there are issues with winbindd getting group
> information, and that it may be wrong. The Samba team are
> currently discussing on the list about ripping some bits of
> winbindd out, which may include some of the group stuff.

  :(  Active Directory isn't simple.  In fact, it's almost deliberately obtuse.

> The right way seems to be to get a list of sids after an
> authentication, and enumerate those, which will list the groups
> that the user is in. It's only good after an auth when the data
> has been cached locally.

  Wow.

> I'm going to stare at the code and see if I can update anything,
> but in the mean time anyone who is using rlm_winbind for group
> checks just a warning it may not stay in the current state for
> much longer :( And it's probably best to call group lookups in
> post-auth when Samba has the group lists cached, rather than in
> authorize.

  Sounds good, thanks.

  Alan DeKok.




More information about the Freeradius-Devel mailing list