[Samba] Limit Winbind users to some OU

Andrew Bartlett abartlet at samba.org
Mon Jan 29 20:57:55 UTC 2018

On Fri, 2018-01-26 at 12:22 +0100, mathias dufresne via samba wrote:
> Hi all,
> Is there a way to force Winbind to accept authentication of users inside
> some particular OU only?

Sadly not.  I once worked with a customer on their patched winbind that
did that, but the patch wasn't possible to continue forward into modern

However, you can restrict password authentication via ntlm_auth and
pam_winbind with the --require-membership-of and require_membership_of 
options to those tools.

(Things like SSH keys still work regardless of this setting, as I say
it is attached to password authentication for technical reasons).

In the medium term the reason we did the work for the 2012 AD schema
and FL upgrade was to enable us to work on features like Silos that
implement this, but this isn't yet something anybody has promised to
fund/deliver yet. 


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list