[Samba] Enabling GPO-based access control for services: ad_gpo_map_network
Patrick Goetz
pgoetz at math.utexas.edu
Fri Feb 18 20:12:54 UTC 2022
Since I'm thinking about trying to ditch sssd and just use winbind, I'm
curious to know how a recent sssd struggle I went through would have
been handled with winbind.
I couldn't get nomachine to do AD authentication using the nx protocol
until I added the following line to sssd.conf:
ad_gpo_map_network = +nx
This didn't really make sense to me until I looked at the man page for
sssd.conf:
-------------
ad_gpo_map_network (string)
A comma-separated list of PAM service names for which GPO-based
access control is evaluated based on the NetworkLogonRight and
DenyNetworkLogonRight policy settings.
It is possible to add another PAM service name to the default set
by using “+service_name” or to explicitly remove a PAM service name from
the default set by using “-service_name”. For example, in order to
replace a default PAM service name for this logon right (e.g. “ftp”)
with a custom pam service name (e.g. “my_pam_service”), you would use
the following configuration:
ad_gpo_map_network = +my_pam_service, -ftp
Default: the default set of PAM service names includes:
ftp
samba
-------------
We use security groups and GPO to restrict who can log in to these
workstations, so this makes sense.
How would this have been handled by winbind, if at all? I looked
through the nomachine knowledge and couldn't find anything referring to
the use of winbind.
More information about the samba
mailing list