[Samba] Fwd: Winbind and GPO access restrictions?

Patrick Goetz pgoetz at math.utexas.edu
Sat Oct 2 19:18:57 UTC 2021 

That was extremely helpful, thanks. Also, clever use of pam_script. I've 
had to invoke this to facilitate automatic home directory creation on 
workstations where the home directory folder is automounted from an NFS 
server and workstations are root_squash'ed. Very kludgy; linux needs 
better default ACLs.

Does "require_membership_of" in /etc/security/pam_winbind.conf insist on 
the use of SIDs, or can you use userName and/or a Security Group name here?

On 10/2/21 13:20, Kees van Vloten via samba wrote:
> On 02-10-2021 18:18, Patrick Goetz via samba wrote:
>>
>>
>> On 10/1/21 16:27, Rowland Penny via samba wrote:
>>> On Fri, 2021-10-01 at 17:01 -0400, Robert Marcano via samba wrote:
>>>> On 10/1/21 3:25 PM, Rowland Penny via samba wrote:
>>>>> On Fri, 2021-10-01 at 14:52 -0400, Robert Marcano via samba wrote:
>>>>>> On 10/1/21 2:21 PM, Patrick Goetz via samba wrote:
>>>>>>>
>>>>>
>>>>> I know I wasn't going to reply to any post that mentioned sssd,
>>>>> but,
>>>>> have you seen this:
>>>>>
>>>>> https://wiki.samba.org/index.php/Group_Policy
>>>>
>>>> Never, ever refrain from posting. We could skip knowledge we don't
>>>> know.
>>>
>>> I will not post about sssd. I do not believe that you need to use sssd
>>> with Samba. Just about everything that sssd can do, Samba can do, or
>>> you can use another program with the data in AD. sudo is one such
>>> program, you can place the sudo rules in AD and then set up sudo to
>>> pull these rules from AD.
>>>
>>> Samba does not produce sssd, so cannot provide good support for it,
>>> this is the province of the sssd-mailing list.
>>>
>>> I have absolutely nothing against sssd, I used to use it years ago,
>>> until I realised that I did not need it. It is just something else to
>>> set up, for (in my opinion) no extra benefit.
>>>
>>>> The wiki say: "Password and Kerberos policies, found in Computer
>>> Configuration > Policies > OS Settings > Security Settings > Account
>>> Policy, are only applicable to Samba Domain Controllers. "
>>>
>>>> We are talking about login on workstations, restricting user login
>>>> based
>>>>
>>>> on groups, on workstations. If these kind of policies are now
>>>> supported,
>>>> cool, then the Wiki needs an update.
>>>
>>> David Mulder has done quite a lot of work on GPO's recently, I am not
>>> certain just what applies and where, but it is likely that if what you
>>> are referring to isn't there now, then there is a good chance it will
>>> turn up fairly soon.
>>>
>>> Are you aware that you can join a Unix domain member with samba-tool
>>> from Samba 4.15.0 ? Of course you will still need to create a smb.conf
>>> before attempting the join, but this could be created during the join
>>> if the command was extended to this, it just needs to ask a few
>>> questions, or provide options to the command
>>>
>>
>> The issue though is authentication access restrictions on domain 
>> members. I'm not a Windows guy and have only recently been using AD, 
>> but it's my understanding that a GPO is the standard way in AD-world 
>> to implement host-based access restrictions.
>>
>> sssd is able to access group and user access permissions in GPO's (but 
>> this is pretty much the only GPO functionality implemented for linux 
>> hosts so far AFAIK).  sssd also has a key called ad_access_filter 
>> which you can set in the domain section of /etc/sssd/sssd.conf; e.g.
>>
>>   ad_access_filter = 
>> samdom:(memberOf=cn=my_special_group,ou=groups,dc=samdom,dc-example,dc=com) 
>>
>>
>> This isn't needed if you use GPO's.
>>
>>
>> It looks like this was already an issue on Samba 11 years ago:
>>
>>
>> https://serverfault.com/questions/159795/linux-active-directory-authentication-only-letting-certain-groups-login 
>>
>>
>> Looking over the offered solutions:
>>
>>  - Use /etc/security/access.conf  for this; e.g. add something like:
>>
>>   + : administrator : ALL
>>   + : my_special_group : ALL
>>   - : ALL : ALL
>>
>> I've only ever done this with local groups in /etc/group.  But 
>> presumably if you have winbind set in /etc/nsswitch.con:
>>
>>   passwd:         compat systemd winbind
>>   group:          compat systemd winbind
>>
>> pam_access.so will use this to verify group membership. I think the 
>> LDAP functions are built in to glibc; not sure how this works with AD 
>> authentication. Also couldn't find confirmation online that this 
>> actually works with AD Security Groups -- all the examples I saw were 
>> using generic LDAP.
>>
>> It's also been suggested that you can use the pam_require.so module 
>> for this, say by adding this line to /etc/pam.d/common-auth on 
>> Debian-based systems:
>>
>>   auth  required  pam_require.so  @my_special_group
>>
>>
>> But I haven't been able to confirm this works with AD Security Groups, 
>> either.  Is there another way of doing this with pam? Not sure.
>>
>> Even if they work, the problem with the pam-based solutions (and 
>> sssd's ad_access_filter approach) is that I'm explicating 
>> @my_special_group in the host system's filesystem.  On some other host 
>> I might want to restrict access to @my_other_special_group. The whole 
>> point of using a Directory is centralizing the management of users and 
>> groups, and these methods deviates from that.
>>
>>
>>> Rowland
>>>
>>>
>>>
>>
> Allowing login for a certain group only is pretty simple in both sssd 
> and winbind. Depending on the situation I use both of these:
> 
> Indeed set /etc/nsswitch.conf to resolv users and groups
> 
> passwd:         files systemd winbind
> group:          files systemd winbind
> 
> Or
> 
> passwd:         files systemd sss
> group:          files systemd sss
> 
> For winbind set /etc/security/pam_winbind.conf
> 
> [global]
> warn_pwd_expire = 30
> 
> # winbind will keep your Ticket Granting Ticket (TGT) up-to-date by 
> refreshing it whenever necessary
> # (needs "winbind refresh tickets = yes" in smb.conf)
> krb5_auth = yes
> 
> # succeed only if the user is a member of the given SID or NAME
> # SID of "acl-desktops_acces" is:
> require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1118
> 
> For sssd add below keys in /etc/sssd/sssd.conf:
> 
> [domain/example.com]
> id_provider = ldap
> access_provider = ldap
> auth_provider = krb5
> chpass_provider = krb5
> 
> # Access for member of specifed group(s)
> access_provider = simple
> simple_allow_groups = acl-desktops_access
> 
> use_fully_qualified_names = false
> pwd_expiration_warning = 30
> 
> in Debian Bullseye sssd-ad is broken 
> (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979995), i.e. use 
> ldap+krb5.
> 
> In addition I tried pam_group a make users in AD-groups members of a 
> local (access-)groups (for example 'sudo' or 'libvirt'). That works when 
> viewed from the user that logged in, i.e. if I do 'id', I see myself as 
> member of sudo and libvirt. But if the libvirt daemon checks 
> group-memberships it does not see me as a member.
> The only solution I could come up with is to write a script to really 
> add my groups to the local-groups on login and remove the memberships on 
> logout. pam_script can facilitate this, the script goes into 
> /usr/share/libpam-script/pam_script_ses_open and create a symlink 
> pam_script_ses_close to pam_script_ses_open.
> The script:
> 
> #! /bin/bash
> #
> SUPPORTED_SERVICES="login sshd sddm-helper"
> SCRIPT_CALLED_AS="$(basename $0)"
> 
> [[ -n "${PAM_USER}" ]] || exit 0
> [[ -n "${PAM_SERVICE}" ]] || exit 0
> ! grep -q "^${PAM_USER}:" /etc/passwd || exit 0  # Do not do this for 
> local users !!
> echo "${SUPPORTED_SERVICES}" | grep -wq "${PAM_SERVICE}" || exit 0
> 
> declare -A GROUP_MAP
> GROUP_MAP["acl-app_libvirt-access"]="libvirt"
> # Allow sudo to root for:
> GROUP_MAP["acl-desktops_sudo_root"]="sudo"
> 
> # https://wiki.debian.org/SystemGroups
> # Allow access to devices:
> GROUP_MAP["grp_${PAM_USER}"]="audio,video,dialout,cdrom,floppy,lpadmin,plugdev,bluetooth,netdev,pulse-access,users" 
> 
> 
> if [[ "${SCRIPT_CALLED_AS}" == "pam_script_ses_close" ]]; then
>     N_LOGINS=$(who | awk '{print $1}' | grep "${PAM_USER}" | wc -l)
>      if [[ ${N_LOGINS} -eq 0 ]]; then
>          usermod -G "" ${PAM_USER}
>      fi
> 
> elif [[ "${SCRIPT_CALLED_AS}" == "pam_script_ses_open" ]]; then
>      USER_GROUPS="$(id -Gn ${PAM_USER})"
>      for DOMAIN_GROUP in "${!GROUP_MAP[@]}"; do
>          if echo "${USER_GROUPS}" | grep -wq "${DOMAIN_GROUP}"; then
>              LOCAL_GROUPS="$(echo "${GROUP_MAP[$DOMAIN_GROUP]}" | sed 
> 's/,/ /g')"
>              for LOCAL_GROUP in $LOCAL_GROUPS; do
>                  grep -q "^${LOCAL_GROUP}:" /etc/group || continue
>                  usermod -a -G "${LOCAL_GROUP}" ${PAM_USER}
>              done
>          fi
>      done
> fi
> exit 0
> 
> Now /etc/group is actually updated when ou login or logout and even 
> libvirtd sees the memberships correctly.
> 
> - Kees
> 
>

More information about the samba mailing list