Patrick Goetz
2022-Feb-18 20:12 UTC
[Samba] Enabling GPO-based access control for services: ad_gpo_map_network
Since I'm thinking about trying to ditch sssd and just use winbind, I'm
curious to know how a recent sssd struggle I went through would have
been handled with winbind.
I couldn't get nomachine to do AD authentication using the nx protocol
until I added the following line to sssd.conf:
ad_gpo_map_network = +nx
This didn't really make sense to me until I looked at the man page for
sssd.conf:
-------------
ad_gpo_map_network (string)
A comma-separated list of PAM service names for which GPO-based
access control is evaluated based on the NetworkLogonRight and
DenyNetworkLogonRight policy settings.
It is possible to add another PAM service name to the default set
by using ?+service_name? or to explicitly remove a PAM service name from
the default set by using ?-service_name?. For example, in order to
replace a default PAM service name for this logon right (e.g. ?ftp?)
with a custom pam service name (e.g. ?my_pam_service?), you would use
the following configuration:
ad_gpo_map_network = +my_pam_service, -ftp
Default: the default set of PAM service names includes:
ftp
samba
-------------
We use security groups and GPO to restrict who can log in to these
workstations, so this makes sense.
How would this have been handled by winbind, if at all? I looked
through the nomachine knowledge and couldn't find anything referring to
the use of winbind.
Patrick Goetz
2022-Feb-25 14:42 UTC
[Samba] Enabling GPO-based access control for services
I'm necro-bumping this unanswered post, as I'm about to start on another
deployment where nomachine on linux will likely come into play, and will
be out of sorts if I proceed with a Samba only installation only to
learn that I have to retrofit sssd because I can't get this working.
On a system using sssd, I had to modify sssd.conf as described below in
order to get nomachine to authenticate AD users using the nx protocol.
Does anyone have any experience with this in a Samba only deployment?
I.e. does it just work, or do I need to set something in smb.conf as per
the description below?
Thanks.
-------- Forwarded Message --------
Subject: [Samba] Enabling GPO-based access control for services:
ad_gpo_map_network
Date: Fri, 18 Feb 2022 14:12:54 -0600
From: Patrick Goetz via samba <samba at lists.samba.org>
Reply-To: Patrick Goetz <pgoetz at math.utexas.edu>
To: Samba listserv <samba at lists.samba.org>
Since I'm thinking about trying to ditch sssd and just use winbind, I'm
curious to know how a recent sssd struggle I went through would have
been handled with winbind.
I couldn't get nomachine to do AD authentication using the nx protocol
until I added the following line to sssd.conf:
ad_gpo_map_network = +nx
This didn't really make sense to me until I looked at the man page for
sssd.conf:
-------------
ad_gpo_map_network (string)
A comma-separated list of PAM service names for which GPO-based
access control is evaluated based on the NetworkLogonRight and
DenyNetworkLogonRight policy settings.
It is possible to add another PAM service name to the default set
by using ?+service_name? or to explicitly remove a PAM service name from
the default set by using ?-service_name?. For example, in order to
replace a default PAM service name for this logon right (e.g. ?ftp?)
with a custom pam service name (e.g. ?my_pam_service?), you would use
the following configuration:
ad_gpo_map_network = +my_pam_service, -ftp
Default: the default set of PAM service names includes:
ftp
samba
-------------
We use security groups and GPO to restrict who can log in to these
workstations, so this makes sense.
How would this have been handled by winbind, if at all? I looked
through the nomachine knowledge and couldn't find anything referring to
the use of winbind.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba