[Samba] Enabling GPO-based access control for services: ad_gpo_map_network

Patrick Goetz pgoetz at math.utexas.edu
Fri Feb 18 20:12:54 UTC 2022

Since I'm thinking about trying to ditch sssd and just use winbind, I'm 
curious to know how a recent sssd struggle I went through would have 
been handled with winbind.

I couldn't get nomachine to do AD authentication using the nx protocol 
until I added the following line to sssd.conf:

   ad_gpo_map_network = +nx

This didn't really make sense to me until I looked at the man page for 

ad_gpo_map_network (string)

     A comma-separated list of PAM service names for which GPO-based 
access control is evaluated based on the NetworkLogonRight and 
DenyNetworkLogonRight policy settings.

     It is possible to add another PAM service name to the default set 
by using “+service_name” or to explicitly remove a PAM service name from 
the default set by using “-service_name”. For example, in order to 
replace a default PAM service name for this logon right (e.g. “ftp”) 
with a custom pam service name (e.g. “my_pam_service”), you would use 
the following configuration:

     ad_gpo_map_network = +my_pam_service, -ftp

     Default: the default set of PAM service names includes:


We use security groups and GPO to restrict who can log in to these 
workstations, so this makes sense.

How would this have been handled by winbind, if at all?  I looked 
through the nomachine knowledge and couldn't find anything referring to 
the use of winbind.

More information about the samba mailing list