[Samba] Winbind and GPO access restrictions?
Robert Marcano
robert at marcanoonline.com
Fri Oct 1 18:52:57 UTC 2021
On 10/1/21 2:21 PM, Patrick Goetz via samba wrote:
>
>
> On 10/1/21 12:52, Robert Marcano via samba wrote:
>> On 10/1/21 12:02 PM, Patrick Goetz via samba wrote:
>>> While most of my campus Samba projects are still going to need to
>>> play nice with at least sssd id mapping, I do have one project which,
>>> based on discussions on this list, I was planning to configure
>>> strictly with winbind, since the AD DC is going to be Samba and it's
>>> the rare luxury where I get to control everything.
>>>
>>> However, a couple of days ago I had an anxiety-inducing thought.
>>> This is a mixed windows/linux environment, and one of the features
>>> the end users would like and which I've already promised them is that
>>> the linux machines would have different access restrictions from the
>>> Windows desktops. The way I've been doing this with sssd is creating
>>> a GPO applied to the host (or set of hosts) which restricts access to
>>> a particular security group.
>>>
>>> Reading through this page: https://wiki.samba.org/index.php/Group_Policy
>>> it's not clear this would also be possible with winbind. Would such
>>> a thing fall under the category of "smb.conf Policies"? It doesn't
>>> seem like it, since smb.conf access restrictions are most aimed at
>>> share control.
>>>
>>
>> With winbind alone you will not be able to do that, you will need to
>> use classic Linux mechanism to control login (pam files editing for
>> example) and maybe automate the deployment on all machines by other
>> means (Ansible, Puppet, etc)
>>
>> Samba doesn't apply any GPO rules to Linux hosts. It is a sssd feature
>> to apply login restriction policies if enabled (and only a few of them
>> that make sense to Linux hosts)
>>
>
> Oh wow. So I guess winbind can not do everything sssd does, and I'm
> guessing that using idmap_sss doesn't help with this issue, either.
>
> Looks like I'm back to using RFC 2307 mapping and doing what Rowland
> said not to do: just matching the UIDs/GIDs on the linux systems. But
> that's headache equivalent to using Ansible to copy around modified PAM
> configuration files and solves the other problem I have of at least one
> linux machine that needs file access being behind someone else's AD domain.
In the case of PAM files, these files are very security sensitive and I
think people should embrace Red Hat auth select. Create customized
configuration, probably based on /usr/share/authselect/default/winbind/
Install that authselect profile as an RPM and the only thing you need to
execute on you clients is to switch to your custom profile. At work I
will never trust a young sysadmin to modify these files directly, it is
too easy to make a security hole, only by a senior admin defining templates.
>
> Now I'm mystified at how people are using newer versions of Samba in a
> mixed Windows/Linux environment. If your linux workstations (i.e. not
> fileservers) are bound to the domain, you most certainly want them to be
> using domain authentication restrictions and not some ad hoc thing you
> have to cobble together and deploy with CMS every time the directory
> changes. I guess this is the problem that RHEL idM solves by foresting
> with a Samba DC; no idea; I have no experience with this whatsoever.
>
> Out of curiosity, is anyone out there using full blown sssd with a Samba
> version > 4.8? Is that even a thing?
>
>>> Thanks.
>>>
>>
>>
>
More information about the samba
mailing list