[SOLVED] Kerberos auth with ldap to active directory -advenced group options
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Kerberos auth with ldap to active directory -advenced group options
I made a proper installation of kerberos with ldap authentication for users which have accounts on AD. I create group wheel in AD, and when user is logging to linux box, using the credentials from AD, he is assigned to group wheel, so he is able to made sudo su. That is nice solution for sysadmins in team.
But I am wondering about one thing.. If for example I have user in AD, and I would like to grant him access to server X as admin (wheel group), and server Y, which I want to be accessed by the same user, but without admin access.. I am able to set only one group in Windows AD.. So could I deal with it?
Does any of expirenced users have some idea how can I do it?
Ok, but when I go in AD to user properities, then UNIX Attributes, at the bottom I have to chose only one field from list.
So how can I add other groups, and how can I chose the servers on which user should have other default group after authentication?
Not exactly.. Because when I add user to some gropups admin or not admin.. how did linux know, should he have full access on server 1 and regular user access on server 2?
I think this is not possible via windows AD..
I fix it at the moment, by creating normal group for all users in AD, and when the user needs root privilages, I add him to sudoers on specific server. That's working for me.
So I suppose that is the one good solution to manage AD users on Linux boxes. Or maybe you have some other idea, how to manage them via AD?
it should all be working as I understand it, it's extremely possible and I've used it plenty. You add users to the group in AD, and that membership should show up on, for example, "getent group" on Linux. That group is then references in /etc/sudoers, /etc/security/access.conf or such like.