Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Strange, I was working on a very similar scenario just the other day.
Dealing with users under linux is very very often a case of dividing and conquering each constituent part. After, of course, appreciating what those parts are. You can not define an AD group specifically, it's just not logical. You merely specify a group which the underlying authentication system is aware of. if it just so happens that that group is accessed via LDAP / Samba within AD, then that's a happy coincidence for you.
Right here your first division is to ensure that your user base is correct. you need to be able to run "getent group" and "id -G myexampleuser" and get all the applicable groups back in standard posix format. I'd written all the above without reading the link you posted, assuming that you were using LDAP, and it still holds 100% if you're using winbind, which backs up the point here.
So get the getent stuff returning the right data, and once that's done using that data to your own end is pretty trivial.
Once you have got that then your queries above will be trivial. BUT don't go messing with sshd_config (i think) it's pretty ugly compared to using a more elegant and generic mechanism as found under /etc/security/access.conf which will do all you want, better, and way more if you want it.
No, as and when your AD details are correctly configured and integrated with your system, then your AD groups will appear in the getent output, and be totally indistinguishable from local groups from that point on.