Samba winbind authentication for login and sudo

Volker Lendecke Volker.Lendecke at SerNet.DE
Fri Aug 28 15:01:01 UTC 2015

On Fri, Aug 28, 2015 at 12:28:51PM +0000, paul.a.bolton at wrote:
> Hi Samba Developers,
> I've been asked by my employer to look at a PoC using Samba as an
> authentication client among other things such as GPO enforcement.
> Whilst I've managed to get this working, when we scale to the requirements
> of (at least some) large organisations there seems to be a few features that
> would be nice to add. Some I have already coded into my demo but there are a
> few more in-depth things to do - in terms of scale think an AD domain with
> 200K users and 100K machines as a ballpark measure for the order of
> magnitude.
> In any case I would be keen to feedback such potential enhancements into the
> Samba codebase should you feel it is of benefit, and would be interested in
> receiving advice on the best approach to modifying Samba.
> The key one I'm looking at now is being able to authenticate the user via
> winbind using non-Unix enabled groups, both for login and for 'sudo'
> commands yet still map the user's profile to an rfc2307 compliant (and
> consistent) mapping of UIDs and GIDs for those groups that are so enabled.

pam_winbind has the require_membership_of option using which
you can restrict successful login to a list of SIDs. Only if a
user is member in one of those groups pam login will
succeed. Is that a start for you?

With best regards,

Volker Lendecke

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen, mailto:kontakt at

More information about the samba-technical mailing list