Samba winbind authentication for login and sudo

paul.a.bolton at paul.a.bolton at
Fri Aug 28 12:28:51 UTC 2015

Hi Samba Developers,

I've been asked by my employer to look at a PoC using Samba as an
authentication client among other things such as GPO enforcement.

Whilst I've managed to get this working, when we scale to the requirements
of (at least some) large organisations there seems to be a few features that
would be nice to add. Some I have already coded into my demo but there are a
few more in-depth things to do - in terms of scale think an AD domain with
200K users and 100K machines as a ballpark measure for the order of

In any case I would be keen to feedback such potential enhancements into the
Samba codebase should you feel it is of benefit, and would be interested in
receiving advice on the best approach to modifying Samba.

The key one I'm looking at now is being able to authenticate the user via
winbind using non-Unix enabled groups, both for login and for 'sudo'
commands yet still map the user's profile to an rfc2307 compliant (and
consistent) mapping of UIDs and GIDs for those groups that are so enabled.

The rational here is that the size of the environment, users may have many
groups, but only need some UNIX aware groups. Having unix-enabled
authentication groups would easily push some users into over 50 groups and
with certain OS's having a constraint of no-more-than 16 supplemental
groups, this represents a problem.

My initial thoughts are to get the idmap_ad part of winbind to capture all
group membership and then for both winbind and a sudo plugin wrapper to use
that as well for the authentication phase.





This email contains BT information, which may be privileged or confidential.

It's meant only for the individual(s) or entity named above. If you're not
the intended

recipient, note that disclosing, copying, distributing or using this

is prohibited. If you've received this email in error, please let me know

on the email address above. Thank you.

We monitor our email system, and may record your emails.


British Telecommunications plc

Registered office: 81 Newgate Street London EC1A 7AJ

Registered in England no: 1800000


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8338 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list