TA的每日心情 | 开心 2016-5-12 14:23 |
---|
签到天数: 2 天 [LV.1]初来乍到
|
沙发
楼主 |
发表于 2014-3-3 14:36:43
|
只看该作者
WARNING!!!
) R& C, G. J6 Q+ G5 f8 f1 m0 z2 G! g& Z; q4 v5 G
When called by radiusd (thus directly setting the challenge value) the ntlm_auth program needs permission to access winbindd's winbindd_privileged directory (somewhere under /var). Read access will usually be sufficient.
/ s6 ^1 q& V- B0 ^* s4 Z/ N8 u* G8 e+ P _+ Y% t2 ?( ^0 d
The radiusd.conf file sets the uid and gid your radiusd process will run as (by the user and group directives, respectively). The ntlm_auth process will have the same identity. If your filesystem containing the winbindd_privileged directory supports POSIX ACLs, you can safely grant ntlm_auth the necessary permissions, in case your disribution's default setting were insufficient. If radiusd runs as the user radiusd for example, then you should use setfacl the following way- u& W2 z; I$ o6 g
C9 ]1 q# M0 f+ _, z, i
setfacl -m u:radiusd:rx winbindd_privileged% w: Z- m( Y( v/ O D* r! Y. ~
$ \8 A/ x- G/ I9 K" O# w+ ]Or something similar. See http://www.suse.de/~agruen/acl/linux-acls/online/ or man setfacl for more information on POSIX ACLs!2 ^4 w( }: A. Z8 W/ g$ n
|
|