[Samba] Winbind not respecting GPO based access restrictions?
Patrick Goetz
pgoetz at math.utexas.edu
Mon Sep 5 18:32:52 UTC 2022
There has been much discussion on this list about whether or not one
needs sssd with Samba, especially now that winbind is required. Based on
recent experience, here as at least one example where it seems you also
need sssd:
GPO-based access restriction based on security groups is in my opinion
the absolute floor for functional file services in an environment where
you don't want to grant everyone access to the file servers. On linux
one can do this with a local /etc/security/access.conf file, but it
seems better to manage this through the domain. Unfortunately I could
not get this working using just windbind.
This just works with sssd, but I'm trying to do a Samba-only deployment
against our University AD.
I created the following GPO and applied it to the OU the Samba domain
client is in:
Computer Configuration --> Policies --> Windows Settings
--> Security Settings --> Local Polices
Allow log on locally: HarrisLab, BUILTIN\Administrators
Allow log on through Terminal Services: HarrisLab
On sssd-based systems this is how we restrict linux workstation access
to particular security groups, usually consisting of the lab members of
the lab which owns the machine. The name "Allow log on through Terminal
Services" is a bit misleading, as this setting applies to all remote
access; in particular it restricts ssh access to the machine, assuming
ChallengeResponseAuthentication yes
is set in /etc/ssh/sshd_config and the appropriate pam module
(pam_sss.so or presumably pam_winbind.so) is set in the auth section of
/etc/pam.d/sshd.
Unfortunately this does not seem to be working with winbind. Currently
any domain member (I've tried) is able to ssh to the machine as if the
GPO were just being ignored.
I'm wondering if there is some additional configuration needed for
winbind to make this work.
I'm not even sure how to debug this. I looked through all the Samba log
files and found nothing, and executing `ssh -vvv` didn't provide any
illumination, either.
Any suggestions for what to try? Can someone confirm that this should
work with Winbind?
More information about the samba
mailing list