LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
Reload this Page Active Directory groups via Samba/Winbind?
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
LinkBack Search this Thread
Old 01-21-2009, 10:21 AM   #1
dsdonut
LQ Newbie
 
Registered: Jan 2009
Posts: 16

Rep: Reputation: 0
Active Directory groups via Samba/Winbind?

I'm working on a way to use MS Active Directory for authentication in our linux environment (we are predominantly a Windows shop).

I've configured a test linux box to successfully authenticate to our AD environment. To do this I used the process outlined in this article:

http://technet.microsoft.com/en-us/m....12.linux.aspx

This works great - I am able to sign on to this linux box using an AD account.

The next thing I would like to do is to be able to use AD groups in Linux config files. For example, I'd like to limit SSH logons to only certain AD groups. I've tried adding an AD group to /etc/ssh/sshd_config, but this doesn't seem to work. I've tried adding the group in the domain\group format as well as group@domain format. I'd also like to use AD groups in the sudoers file.

A. Is it possible?
B. If so, how can I do this?
 
Old 01-22-2009, 10:47 AM   #2
pentode
Member
 
Registered: Dec 2005
Location: Oregon
Distribution: Debian Testing
Posts: 488

Rep: Reputation: 38
I assume you've reviewed the official Samba documentation at www.samba.org - it's pretty good. My first thought was that AD groups are not supported by Samba, but I've never tried it, so I'm not sure. There are some limits to AD support in Samba and I believe these are pretty well covered in the Samba docs.

Using AD groups in the sudoers file seems like a bad idea, on the surface at least.
 
Old 01-23-2009, 12:16 PM   #3
dsdonut
LQ Newbie
 
Registered: Jan 2009
Posts: 16

Original Poster
Rep: Reputation: 0
Thanks for the replies
Why do you say that using AD groups in the sudoers file seems like a bad idea?

Here's my thinking (keep in mind that I'm a Windows guy trying to deal with Linux here)

We already have AD authentication on this box. So, admins can sign in with their AD account. That saves us from having to manage separate IDs in Linux.

Also, I don't want people to just sign in with their AD account, then su. If I can add AD groups (or less desirably individual AD accounts) to the sudoers file, then they can use sudo from their AD account to do their jobs.

If I'm heading down a bad path here(from a linux perspective) please advise.
 
Old 01-23-2009, 03:26 PM   #4
pentode
Member
 
Registered: Dec 2005
Location: Oregon
Distribution: Debian Testing
Posts: 488

Rep: Reputation: 38
I would not be confident in the security of trying to bring an AD group into a Linux sudoers list. But that's just me, probably.

Here's some relevant info group mappings in newer versions of Samba:

http://us1.samba.org/samba/docs/man/...html#id2571717
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
replacing active directory when using samba and winbind wastingtime Linux - Server 0 09-15-2008 11:45 PM
samba and active directory groups kapilcool Linux - Software 1 01-16-2007 09:34 PM
SAMBA, WINBIND and KERBEROS against Windows 2000 Active Directory mago Linux - Networking 2 07-28-2006 11:52 PM
Samba 3.0.4 with winbind and active directory upgrade problem jhibbets Red Hat 0 08-16-2004 11:24 AM
Active Directory Groups with Samba??? beat_researcher Linux - Networking 0 06-14-2004 04:33 PM


All times are GMT -5. The time now is 03:04 PM.

Contact Us - Advertising Info - Rules - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
 
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: @linuxquestions
Open Source Consulting | Domain Registration