mailing list archives
CVE request: samba pam_winbind authentication fails open
From: Vincent Danen <vdanen () redhat com>
Date: Mon, 2 Dec 2013 14:24:42 -0700
Just cutting-and-pasting from the bug I just filed. The following was
reported to us, but had been reported upstream last year.
It was reported  that Samba's pam_winbind module would fail open (allowing
access) when the require_membership_of option is used as an argument to
pam_winbind, and contains a non-existent group as the value. In such a
configuration, rather then failing and not permitting authentication which is
what would be expected, pam_winbind will allow authentication to proceed.
For instance, if the following is specified and the user is not a member of the
group 'Admin', they will not obtain access to the system:
auth sufficient pam_winbind.so use_first_pass require_membership_of=Admin
On the other hand, if the non-existent group 'AdminOops' is specified, the user
is obviously not a member of said group, authentication will be permitted:
auth sufficient pam_winbind.so use_first_pass require_membership_of=AdminOops
The commit  that most likely introduced this flaw indicates that this was
introduced October 2009 and another commit  looks like the fix, although
that is for another bug  that's somewhat related to this issue and somewhat
Could a CVE be assigned to this issue?
Vincent Danen / Red Hat Security Response Team
- CVE request: samba pam_winbind authentication fails open Vincent Danen (Dec 02)