Re: [Samba] Limit Winbind users to some OU
- Date: Tue, 30 Jan 2018 07:57:55 +1100
- From: Andrew Bartlett via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Limit Winbind users to some OU
On Fri, 2018-01-26 at 12:22 +0100, mathias dufresne via samba wrote:
> Hi all,
> Is there a way to force Winbind to accept authentication of users inside
> some particular OU only?
Sadly not. I once worked with a customer on their patched winbind that
did that, but the patch wasn't possible to continue forward into modern
However, you can restrict password authentication via ntlm_auth and
pam_winbind with the --require-membership-of and require_membership_of
options to those tools.
(Things like SSH keys still work regardless of this setting, as I say
it is attached to password authentication for technical reasons).
In the medium term the reason we did the work for the 2012 AD schema
and FL upgrade was to enable us to work on features like Silos that
implement this, but this isn't yet something anybody has promised to
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
To unsubscribe from this list go to the following URL and read the