Score:2

Using Linux tools to allow a user in a domain to access only certain computers

fr flag

I ran samba-ad-dc domain controller on Debian Bullseye. No problem to create users and groups, organizational units, etc and to join windows or Linux computers to domain. But there is other task: On Windows Server using "Active Directory users and computers", in users profile account tab under button "Log on to..." - you can specify the computers the users is allowed to logon to. This option works for every computer - Windows or Linux with configured samba client.

So I concluded that these are not group policies (otherwise these login restrictions would not work for Linux computers). The problem is that I cannot find any information how to solve such task using Linux tools, such as "samba-tool", "net" or maybe changing/adding LDAP attributes to user or computer entities. Is it generally possible?

cn flag
The clients look for an attribute `userworkstations` on the user account in LDAP. If your Samba directory does not have that attribute, it can be added. See this page for examples: https://www.sigma-uk.net/tech/ubuntu_ldap#samba_v3
Mikhail Kulikov avatar
fr flag
@GregAskew yes, it works: adding and modifying attribute `userworkstations`. Thanks!
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.