[Samba] Winbind and GPO access restrictions?

Rowland Penny rpenny at samba.org
Fri Oct 1 21:27:27 UTC 2021

On Fri, 2021-10-01 at 17:01 -0400, Robert Marcano via samba wrote:
> On 10/1/21 3:25 PM, Rowland Penny via samba wrote:
> > On Fri, 2021-10-01 at 14:52 -0400, Robert Marcano via samba wrote:
> > > On 10/1/21 2:21 PM, Patrick Goetz via samba wrote:
> > > > 
> > 
> > I know I wasn't going to reply to any post that mentioned sssd,
> > but,
> > have you seen this:
> > 
> > https://wiki.samba.org/index.php/Group_Policy
> Never, ever refrain from posting. We could skip knowledge we don't
> know.

I will not post about sssd. I do not believe that you need to use sssd
with Samba. Just about everything that sssd can do, Samba can do, or
you can use another program with the data in AD. sudo is one such
program, you can place the sudo rules in AD and then set up sudo to
pull these rules from AD.

Samba does not produce sssd, so cannot provide good support for it,
this is the province of the sssd-mailing list.

I have absolutely nothing against sssd, I used to use it years ago,
until I realised that I did not need it. It is just something else to
set up, for (in my opinion) no extra benefit.

> The wiki say: "Password and Kerberos policies, found in Computer 
Configuration > Policies > OS Settings > Security Settings > Account 
Policy, are only applicable to Samba Domain Controllers. "

> We are talking about login on workstations, restricting user login
> based
> on groups, on workstations. If these kind of policies are now
> supported, 
> cool, then the Wiki needs an update.

David Mulder has done quite a lot of work on GPO's recently, I am not
certain just what applies and where, but it is likely that if what you
are referring to isn't there now, then there is a good chance it will
turn up fairly soon.

Are you aware that you can join a Unix domain member with samba-tool
from Samba 4.15.0 ? Of course you will still need to create a smb.conf
before attempting the join, but this could be created during the join
if the command was extended to this, it just needs to ask a few
questions, or provide options to the command


More information about the samba mailing list