[Samba] Enabling GPO-based access control for services
pgoetz at math.utexas.edu
Fri Feb 25 14:42:43 UTC 2022
I'm necro-bumping this unanswered post, as I'm about to start on another
deployment where nomachine on linux will likely come into play, and will
be out of sorts if I proceed with a Samba only installation only to
learn that I have to retrofit sssd because I can't get this working.
On a system using sssd, I had to modify sssd.conf as described below in
order to get nomachine to authenticate AD users using the nx protocol.
Does anyone have any experience with this in a Samba only deployment?
I.e. does it just work, or do I need to set something in smb.conf as per
the description below?
-------- Forwarded Message --------
Subject: [Samba] Enabling GPO-based access control for services:
Date: Fri, 18 Feb 2022 14:12:54 -0600
From: Patrick Goetz via samba <samba at lists.samba.org>
Reply-To: Patrick Goetz <pgoetz at math.utexas.edu>
To: Samba listserv <samba at lists.samba.org>
Since I'm thinking about trying to ditch sssd and just use winbind, I'm
curious to know how a recent sssd struggle I went through would have
been handled with winbind.
I couldn't get nomachine to do AD authentication using the nx protocol
until I added the following line to sssd.conf:
ad_gpo_map_network = +nx
This didn't really make sense to me until I looked at the man page for
A comma-separated list of PAM service names for which GPO-based
access control is evaluated based on the NetworkLogonRight and
DenyNetworkLogonRight policy settings.
It is possible to add another PAM service name to the default set
by using “+service_name” or to explicitly remove a PAM service name from
the default set by using “-service_name”. For example, in order to
replace a default PAM service name for this logon right (e.g. “ftp”)
with a custom pam service name (e.g. “my_pam_service”), you would use
the following configuration:
ad_gpo_map_network = +my_pam_service, -ftp
Default: the default set of PAM service names includes:
We use security groups and GPO to restrict who can log in to these
workstations, so this makes sense.
How would this have been handled by winbind, if at all? I looked
through the nomachine knowledge and couldn't find anything referring to
the use of winbind.
To unsubscribe from this list go to the following URL and read the
More information about the samba