[Samba] Winbind not respecting GPO based access restrictions?

Patrick Goetz pgoetz at math.utexas.edu
Mon Sep 5 18:32:52 UTC 2022 

There has been much discussion on this list about whether or not one 
needs sssd with Samba, especially now that winbind is required. Based on 
recent experience, here as at least one example where it seems you also 
need sssd:

GPO-based access restriction based on security groups is in my opinion 
the absolute floor for functional file services in an environment where 
you don't want to grant everyone access to the file servers. On linux 
one can do this with a local /etc/security/access.conf file, but it 
seems better to manage this through the domain.  Unfortunately I could 
not get this working using just windbind.

This just works with sssd, but I'm trying to do a Samba-only deployment 
against our University AD.

I created the following GPO and applied it to the OU the Samba domain 
client is in:

   Computer Configuration --> Policies --> Windows Settings
   --> Security Settings --> Local Polices

     Allow log on locally:  HarrisLab, BUILTIN\Administrators
     Allow log on through Terminal Services:  HarrisLab

On sssd-based systems this is how we restrict linux workstation access 
to particular security groups, usually consisting of the lab members of 
the lab which owns the machine.  The name "Allow log on through Terminal 
Services" is a bit misleading, as this setting applies to all remote 
access; in particular it restricts ssh access to the machine, assuming

    ChallengeResponseAuthentication yes

is set in /etc/ssh/sshd_config and the appropriate pam module 
(pam_sss.so or presumably pam_winbind.so) is set in the auth section of 
/etc/pam.d/sshd.

Unfortunately this does not seem to be working with winbind.  Currently 
any domain member (I've tried) is able to ssh to the machine as if the 
GPO were just being ignored.

I'm wondering if there is some additional configuration needed for 
winbind to make this work.

I'm not even sure how to debug this.  I looked through all the Samba log 
files and found nothing, and executing `ssh -vvv` didn't provide any 
illumination, either.

Any suggestions for what to try?  Can someone confirm that this should 
work with Winbind?

More information about the samba mailing list