[Samba] Enabling GPO-based access control for services

Patrick Goetz pgoetz at math.utexas.edu
Fri Feb 25 14:42:43 UTC 2022

I'm necro-bumping this unanswered post, as I'm about to start on another 
deployment where nomachine on linux will likely come into play, and will 
be out of sorts if I proceed with a Samba only installation only to 
learn that I have to retrofit sssd because I can't get this working.

On a system using sssd, I had to modify sssd.conf as described below in 
order to get nomachine to authenticate AD users using the nx protocol. 
Does anyone have any experience with this in a Samba only deployment? 
I.e. does it just work, or do I need to set something in smb.conf as per 
the description below?


-------- Forwarded Message --------
Subject: [Samba] Enabling GPO-based access control for services: 
Date: Fri, 18 Feb 2022 14:12:54 -0600
From: Patrick Goetz via samba <samba at lists.samba.org>
Reply-To: Patrick Goetz <pgoetz at math.utexas.edu>
To: Samba listserv <samba at lists.samba.org>

Since I'm thinking about trying to ditch sssd and just use winbind, I'm 
curious to know how a recent sssd struggle I went through would have 
been handled with winbind.

I couldn't get nomachine to do AD authentication using the nx protocol 
until I added the following line to sssd.conf:

   ad_gpo_map_network = +nx

This didn't really make sense to me until I looked at the man page for 

ad_gpo_map_network (string)

     A comma-separated list of PAM service names for which GPO-based 
access control is evaluated based on the NetworkLogonRight and 
DenyNetworkLogonRight policy settings.

     It is possible to add another PAM service name to the default set 
by using “+service_name” or to explicitly remove a PAM service name from 
the default set by using “-service_name”. For example, in order to 
replace a default PAM service name for this logon right (e.g. “ftp”) 
with a custom pam service name (e.g. “my_pam_service”), you would use 
the following configuration:

     ad_gpo_map_network = +my_pam_service, -ftp

     Default: the default set of PAM service names includes:


We use security groups and GPO to restrict who can log in to these 
workstations, so this makes sense.

How would this have been handled by winbind, if at all?  I looked 
through the nomachine knowledge and couldn't find anything referring to 
the use of winbind.

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list