Re: [Openvpn-devel] [PATCH] Fix user's group membership check in interactive service to work with domains
Hi, This is like talking to myself, but here goes: On Sun, Jan 8, 2017 at 3:00 PM,wrote: > Currently the username unqualified by the domain is used to validate > a user which fails for domain users. Instead compare the user's SID > with SIDs in the Administrators group and ovpn_admin_group. > > This has the advantage that connection to a domain controller is not > required and will work even when user is logged in with cached credentials. > > Limitations: > (i) Group membership is not checked recursively > (ii) Domain administrators will not be recognized as members of local > Administrators group. > > Resolves Trac: #810 > Based on further discussions on Trac: #810, domain admins are understandably not pleased with those limitations. I'll submit a v2. Selva -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix user's group membership check in interactive service to work with domains
On Sun, Jan 8, 2017 at 3:00 PM,wrote: > From: Selva Nair > > Currently the username unqualified by the domain is used to validate > a user which fails for domain users. Instead compare the user's SID > with SIDs in the Administrators group and ovpn_admin_group. > > This has the advantage that connection to a domain controller is not > required and will work even when user is logged in with cached credentials. > > Limitations: > (i) Group membership is not checked recursively > (ii) Domain administrators will not be recognized as members of local > Administrators group. > > Resolves Trac: #810 > Tested on Windows 7 as local user and domain user. Also tested by jiquera as described in Trac: #810 -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel