Web lists-archives.com

Re: [Samba] Limit Winbind users to some OU




On Fri, 2018-01-26 at 12:22 +0100, mathias dufresne via samba wrote:
> Hi all,
> 
> Is there a way to force Winbind to accept authentication of users inside
> some particular OU only?

Sadly not.  I once worked with a customer on their patched winbind that
did that, but the patch wasn't possible to continue forward into modern
versions.

However, you can restrict password authentication via ntlm_auth and
pam_winbind with the --require-membership-of and require_membership_of 
options to those tools.

(Things like SSH keys still work regardless of this setting, as I say
it is attached to password authentication for technical reasons).

In the medium term the reason we did the work for the 2012 AD schema
and FL upgrade was to enable us to work on features like Silos that
implement this, but this isn't yet something anybody has promised to
fund/deliver yet. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba