[Samba] Fwd: Winbind and GPO access restrictions?

Kees van Vloten keesvanvloten at gmail.com
Sat Oct 2 18:20:09 UTC 2021

On 02-10-2021 18:18, Patrick Goetz via samba wrote:
> On 10/1/21 16:27, Rowland Penny via samba wrote:
>> On Fri, 2021-10-01 at 17:01 -0400, Robert Marcano via samba wrote:
>>> On 10/1/21 3:25 PM, Rowland Penny via samba wrote:
>>>> On Fri, 2021-10-01 at 14:52 -0400, Robert Marcano via samba wrote:
>>>>> On 10/1/21 2:21 PM, Patrick Goetz via samba wrote:
>>>> I know I wasn't going to reply to any post that mentioned sssd,
>>>> but,
>>>> have you seen this:
>>>> https://wiki.samba.org/index.php/Group_Policy
>>> Never, ever refrain from posting. We could skip knowledge we don't
>>> know.
>> I will not post about sssd. I do not believe that you need to use sssd
>> with Samba. Just about everything that sssd can do, Samba can do, or
>> you can use another program with the data in AD. sudo is one such
>> program, you can place the sudo rules in AD and then set up sudo to
>> pull these rules from AD.
>> Samba does not produce sssd, so cannot provide good support for it,
>> this is the province of the sssd-mailing list.
>> I have absolutely nothing against sssd, I used to use it years ago,
>> until I realised that I did not need it. It is just something else to
>> set up, for (in my opinion) no extra benefit.
>>> The wiki say: "Password and Kerberos policies, found in Computer
>> Configuration > Policies > OS Settings > Security Settings > Account
>> Policy, are only applicable to Samba Domain Controllers. "
>>> We are talking about login on workstations, restricting user login
>>> based
>>> on groups, on workstations. If these kind of policies are now
>>> supported,
>>> cool, then the Wiki needs an update.
>> David Mulder has done quite a lot of work on GPO's recently, I am not
>> certain just what applies and where, but it is likely that if what you
>> are referring to isn't there now, then there is a good chance it will
>> turn up fairly soon.
>> Are you aware that you can join a Unix domain member with samba-tool
>> from Samba 4.15.0 ? Of course you will still need to create a smb.conf
>> before attempting the join, but this could be created during the join
>> if the command was extended to this, it just needs to ask a few
>> questions, or provide options to the command
> The issue though is authentication access restrictions on domain 
> members. I'm not a Windows guy and have only recently been using AD, 
> but it's my understanding that a GPO is the standard way in AD-world 
> to implement host-based access restrictions.
> sssd is able to access group and user access permissions in GPO's (but 
> this is pretty much the only GPO functionality implemented for linux 
> hosts so far AFAIK).  sssd also has a key called ad_access_filter 
> which you can set in the domain section of /etc/sssd/sssd.conf; e.g.
>   ad_access_filter = 
> samdom:(memberOf=cn=my_special_group,ou=groups,dc=samdom,dc-example,dc=com)
> This isn't needed if you use GPO's.
> It looks like this was already an issue on Samba 11 years ago:
> https://serverfault.com/questions/159795/linux-active-directory-authentication-only-letting-certain-groups-login 
> Looking over the offered solutions:
>  - Use /etc/security/access.conf  for this; e.g. add something like:
>   + : administrator : ALL
>   + : my_special_group : ALL
>   - : ALL : ALL
> I've only ever done this with local groups in /etc/group.  But 
> presumably if you have winbind set in /etc/nsswitch.con:
>   passwd:         compat systemd winbind
>   group:          compat systemd winbind
> pam_access.so will use this to verify group membership. I think the 
> LDAP functions are built in to glibc; not sure how this works with AD 
> authentication. Also couldn't find confirmation online that this 
> actually works with AD Security Groups -- all the examples I saw were 
> using generic LDAP.
> It's also been suggested that you can use the pam_require.so module 
> for this, say by adding this line to /etc/pam.d/common-auth on 
> Debian-based systems:
>   auth  required  pam_require.so  @my_special_group
> But I haven't been able to confirm this works with AD Security Groups, 
> either.  Is there another way of doing this with pam? Not sure.
> Even if they work, the problem with the pam-based solutions (and 
> sssd's ad_access_filter approach) is that I'm explicating 
> @my_special_group in the host system's filesystem.  On some other host 
> I might want to restrict access to @my_other_special_group. The whole 
> point of using a Directory is centralizing the management of users and 
> groups, and these methods deviates from that.
>> Rowland
Allowing login for a certain group only is pretty simple in both sssd 
and winbind. Depending on the situation I use both of these:

Indeed set /etc/nsswitch.conf to resolv users and groups

passwd:         files systemd winbind
group:          files systemd winbind


passwd:         files systemd sss
group:          files systemd sss

For winbind set /etc/security/pam_winbind.conf

warn_pwd_expire = 30

# winbind will keep your Ticket Granting Ticket (TGT) up-to-date by 
refreshing it whenever necessary
# (needs "winbind refresh tickets = yes" in smb.conf)
krb5_auth = yes

# succeed only if the user is a member of the given SID or NAME
# SID of "acl-desktops_acces" is:
require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1118

For sssd add below keys in /etc/sssd/sssd.conf:

id_provider = ldap
access_provider = ldap
auth_provider = krb5
chpass_provider = krb5

# Access for member of specifed group(s)
access_provider = simple
simple_allow_groups = acl-desktops_access

use_fully_qualified_names = false
pwd_expiration_warning = 30

in Debian Bullseye sssd-ad is broken 
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979995), i.e. use 

In addition I tried pam_group a make users in AD-groups members of a 
local (access-)groups (for example 'sudo' or 'libvirt'). That works when 
viewed from the user that logged in, i.e. if I do 'id', I see myself as 
member of sudo and libvirt. But if the libvirt daemon checks 
group-memberships it does not see me as a member.
The only solution I could come up with is to write a script to really 
add my groups to the local-groups on login and remove the memberships on 
logout. pam_script can facilitate this, the script goes into 
/usr/share/libpam-script/pam_script_ses_open and create a symlink 
pam_script_ses_close to pam_script_ses_open.
The script:

#! /bin/bash
SUPPORTED_SERVICES="login sshd sddm-helper"
SCRIPT_CALLED_AS="$(basename $0)"

[[ -n "${PAM_USER}" ]] || exit 0
[[ -n "${PAM_SERVICE}" ]] || exit 0
! grep -q "^${PAM_USER}:" /etc/passwd || exit 0  # Do not do this for 
local users !!
echo "${SUPPORTED_SERVICES}" | grep -wq "${PAM_SERVICE}" || exit 0

declare -A GROUP_MAP
# Allow sudo to root for:

# https://wiki.debian.org/SystemGroups
# Allow access to devices:

if [[ "${SCRIPT_CALLED_AS}" == "pam_script_ses_close" ]]; then
    N_LOGINS=$(who | awk '{print $1}' | grep "${PAM_USER}" | wc -l)
     if [[ ${N_LOGINS} -eq 0 ]]; then
         usermod -G "" ${PAM_USER}

elif [[ "${SCRIPT_CALLED_AS}" == "pam_script_ses_open" ]]; then
     USER_GROUPS="$(id -Gn ${PAM_USER})"
     for DOMAIN_GROUP in "${!GROUP_MAP[@]}"; do
         if echo "${USER_GROUPS}" | grep -wq "${DOMAIN_GROUP}"; then
             LOCAL_GROUPS="$(echo "${GROUP_MAP[$DOMAIN_GROUP]}" | sed 
's/,/ /g')"
             for LOCAL_GROUP in $LOCAL_GROUPS; do
                 grep -q "^${LOCAL_GROUP}:" /etc/group || continue
                 usermod -a -G "${LOCAL_GROUP}" ${PAM_USER}
exit 0

Now /etc/group is actually updated when ou login or logout and even 
libvirtd sees the memberships correctly.

- Kees

More information about the samba mailing list