samba - Jan 2018 - Limit Winbind users to some OU

Hi all,

Is there a way to force Winbind to accept authentication of users inside
some particular OU only?

Best regards,

mathias

On Fri, 2018-01-26 at 12:22 +0100, mathias dufresne via samba
wrote:
> Hi all,
> 
> Is there a way to force Winbind to accept authentication of users inside
> some particular OU only?
Sadly not.  I once worked with a customer on their patched winbind that
did that, but the patch wasn't possible to continue forward into modern
versions.

However, you can restrict password authentication via ntlm_auth and
pam_winbind with the --require-membership-of and require_membership_of 
options to those tools.

(Things like SSH keys still work regardless of this setting, as I say
it is attached to password authentication for technical reasons).

In the medium term the reason we did the work for the 2012 AD schema
and FL upgrade was to enable us to work on features like Silos that
implement this, but this isn't yet something anybody has promised to
fund/deliver yet. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On 01/26/2018 07:22 AM, mathias dufresne via samba
wrote:
> Hi all,
> 
> Is there a way to force Winbind to accept authentication of users inside
> some particular OU only?
Greetings. I can only refer you to an alternative  option. If you have 
the possibility to use sssd, there is an AD setting named 
ad_gpo_access_control that allows you to use a GPO limited to an OU for 
access control (or other options).

> 
> Best regards,
> 
> mathias
>