rlm_winbind and groups
Matthew Newton
mcn4 at leicester.ac.uk
Sun Nov 6 19:14:12 CET 2016
On Sat, Nov 05, 2016 at 08:20:18PM +0000, Alan Buxey wrote:
> Surely this is the same stuff that eg 'wbinfo -g' pulls out?
Yes... they're discussing removing that, because it can be
inaccurate.
> I believe the only issue I've seen is a segfault when the group
> list was very large.
That's probably nothing to do with Samba, and more with me trying
(and failing) to be more efficient. I've got 90% of a rewrite here
that should simplify things, but I'll now have to put it on hold
until I can work out what's happening winbind-side.
> However, if the change is that you can only get group
> membership after the auth then that's okay as we use that for
> vlan assignment
Looks like it... or that's the only time the groups are reliable.
But the issue is more that it looks like the groups can only
accurately be known by enumerating the list of sids returned after
a successful login. Which throws the xlat into a right mess.
But I need to look at it more to be sure.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Devel
mailing list