Using Linux tools to allow a user in a domain to access only certain computers

Mikhail Kulikov

10/18/23, 2:35 PM

I ran samba-ad-dc domain controller on Debian Bullseye. No problem to create users and groups, organizational units, etc and to join windows or Linux computers to domain. But there is other task: On Windows Server using "Active Directory users and computers", in users profile account tab under button "Log on to..." - you can specify the computers the users is allowed to logon to. This option works for every computer - Windows or Linux with configured samba client.

So I concluded that these are not group policies (otherwise these login restrictions would not work for Linux computers). The problem is that I cannot find any information how to solve such task using Linux tools, such as "samba-tool", "net" or maybe changing/adding LDAP attributes to user or computer entities. Is it generally possible?

357

0 + 2

linux

active-directory

samba

domain-controller

Greg Askew

10/18/23, 5:09 PM

The clients look for an attribute `userworkstations` on the user account in LDAP. If your Samba directory does not have that attribute, it can be added. See this page for examples: https://www.sigma-uk.net/tech/ubuntu_ldap#samba_v3

Mikhail Kulikov

11/30/23, 7:55 AM

@GregAskew yes, it works: adding and modifying attribute `userworkstations`. Thanks!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Using Linux tools to allow a user in a domain to access only certain computers

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.