LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 10-12-2012, 05:26 PM   #1
grzeslaw
Member
 
Registered: Nov 2008
Posts: 49

Rep: Reputation: 13
Kerberos auth with ldap to active directory -advenced group options


Hello,

I made a proper installation of kerberos with ldap authentication for users which have accounts on AD. I create group wheel in AD, and when user is logging to linux box, using the credentials from AD, he is assigned to group wheel, so he is able to made sudo su. That is nice solution for sysadmins in team.

But I am wondering about one thing.. If for example I have user in AD, and I would like to grant him access to server X as admin (wheel group), and server Y, which I want to be accessed by the same user, but without admin access.. I am able to set only one group in Windows AD.. So could I deal with it?

Does any of expirenced users have some idea how can I do it?

Last edited by grzeslaw; 10-15-2012 at 04:04 AM.
 
Old 10-12-2012, 05:34 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
Why can you only set one group? You should be able to generically use any group membership in AD as normal and just add a GID to those AD groups, and have them work as posix groups too.

You might want to a look a translucent openldap proxy to potentially add in additional attributes that AD can't handle for whatever reason, but there IS a way to do it in AD properly.
 
Old 10-14-2012, 08:33 AM   #3
grzeslaw
Member
 
Registered: Nov 2008
Posts: 49

Original Poster
Rep: Reputation: 13
Ok, but when I go in AD to user properities, then UNIX Attributes, at the bottom I have to chose only one field from list.
So how can I add other groups, and how can I chose the servers on which user should have other default group after authentication?
 
Old 10-14-2012, 10:43 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
http://i.technet.microsoft.com/dynimg/IC157443.gif
 
Old 10-14-2012, 02:48 PM   #5
grzeslaw
Member
 
Registered: Nov 2008
Posts: 49

Original Poster
Rep: Reputation: 13
Yeah, ok I could add users to the groups..
But what if I have user, which should have root access to server 1,2 and 3, but on server 4 and 5, he should should have limited access?
 
Old 10-14-2012, 03:01 PM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
then have multiple groups, that's the whole point you started off with, right?
 
Old 10-14-2012, 03:06 PM   #7
grzeslaw
Member
 
Registered: Nov 2008
Posts: 49

Original Poster
Rep: Reputation: 13
Not exactly.. Because when I add user to some gropups admin or not admin.. how did linux know, should he have full access on server 1 and regular user access on server 2?

I think this is not possible via windows AD..
I fix it at the moment, by creating normal group for all users in AD, and when the user needs root privilages, I add him to sudoers on specific server. That's working for me.

So I suppose that is the one good solution to manage AD users on Linux boxes. Or maybe you have some other idea, how to manage them via AD?
 
Old 10-15-2012, 03:17 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
it should all be working as I understand it, it's extremely possible and I've used it plenty. You add users to the group in AD, and that membership should show up on, for example, "getent group" on Linux. That group is then references in /etc/sudoers, /etc/security/access.conf or such like.
 
Old 10-16-2012, 03:39 AM   #9
grzeslaw
Member
 
Registered: Nov 2008
Posts: 49

Original Poster
Rep: Reputation: 13
Thanks for your help acid_kewpie!

I implement ths solution on few servers and it's working fine

Last edited by grzeslaw; 10-16-2012 at 03:40 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LDAP/Kerberos authentication to Windows Active Directory Shad0wguy Linux - Enterprise 7 02-15-2012 01:04 PM
[SOLVED] LDAP / Kerberos / Active Directory - Only *some* users appearing fantasygoat Linux - Server 2 04-20-2011 10:34 AM
SLES11, Samba, Kerberos, LDAP integration with Active Directory jstalewski Suse/Novell 1 08-02-2010 02:10 PM
Problem with LDAP auth and Active Directory Ryan100 Red Hat 1 10-27-2006 04:50 PM
Active Directory, Kerberos, LDAP, PAM, and nsswitch PenguinPwrdBox Linux - Security 1 06-04-2005 10:56 PM


All times are GMT -5. The time now is 05:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration