TA的每日心情 | 开心 2016-5-12 14:23 |
---|
签到天数: 2 天 [LV.1]初来乍到
|
沙发
楼主 |
发表于 2014-3-3 14:36:43
|
只看该作者
WARNING!!!6 Q# [% L8 E! c9 L9 n1 a- J1 }
, a& a- }' I* n/ B/ e: E3 \7 dWhen called by radiusd (thus directly setting the challenge value) the ntlm_auth program needs permission to access winbindd's winbindd_privileged directory (somewhere under /var). Read access will usually be sufficient.7 C; x- W5 S" ?3 T* E* K
# T$ i5 j" K3 x. k+ q4 {; SThe radiusd.conf file sets the uid and gid your radiusd process will run as (by the user and group directives, respectively). The ntlm_auth process will have the same identity. If your filesystem containing the winbindd_privileged directory supports POSIX ACLs, you can safely grant ntlm_auth the necessary permissions, in case your disribution's default setting were insufficient. If radiusd runs as the user radiusd for example, then you should use setfacl the following way
. \6 B" ?" f! W6 D3 { ^: i+ q/ }& R5 O' Q! D- V3 y: G
setfacl -m u:radiusd:rx winbindd_privileged
: w5 w4 E" x" X. U: f) K
! P9 f6 ]+ k) M* S" dOr something similar. See http://www.suse.de/~agruen/acl/linux-acls/online/ or man setfacl for more information on POSIX ACLs!9 b. f0 {! e- L$ C5 Z" f3 C# }
|
|