[Samba] Winbind and GPO access restrictions?

[Robert Marcano]

On 10/1/21 12:02 PM, Patrick Goetz via samba wrote:
> While most of my campus Samba projects are still going to need to play 
> nice with at least sssd id mapping, I do have one project which, based 
> on discussions on this list, I was planning to configure strictly with 
> winbind, since the AD DC is going to be Samba and it's the rare luxury 
> where I get to control everything.
> 
> However, a couple of days ago I had an anxiety-inducing thought.  This 
> is a mixed windows/linux environment, and one of the features the end 
> users would like and which I've already promised them is that the linux 
> machines would have different access restrictions from the Windows 
> desktops. The way I've been doing this with sssd is creating a GPO 
> applied to the host (or set of hosts) which restricts access to a 
> particular security group.
> 
> Reading through this page: https://wiki.samba.org/index.php/Group_Policy
> it's not clear this would also be possible with winbind.  Would such a 
> thing fall under the category of "smb.conf Policies"?  It doesn't seem 
> like it, since smb.conf access restrictions are most aimed at share 
> control.
> 

With winbind alone you will not be able to do that, you will need to use 
classic Linux mechanism to control login (pam files editing for example) 
and maybe automate the deployment on all machines by other means 
(Ansible, Puppet, etc)

Samba doesn't apply any GPO rules to Linux hosts. It is a sssd feature 
to apply login restriction policies if enabled (and only a few of them 
that make sense to Linux hosts)

> Thanks.
>