[SOLVED] Kerberos auth with ldap to active directory -advenced group options
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Kerberos auth with ldap to active directory -advenced group options
I made a proper installation of kerberos with ldap authentication for users which have accounts on AD. I create group wheel in AD, and when user is logging to linux box, using the credentials from AD, he is assigned to group wheel, so he is able to made sudo su. That is nice solution for sysadmins in team.
But I am wondering about one thing.. If for example I have user in AD, and I would like to grant him access to server X as admin (wheel group), and server Y, which I want to be accessed by the same user, but without admin access.. I am able to set only one group in Windows AD.. So could I deal with it?
Does any of expirenced users have some idea how can I do it?
Ok, but when I go in AD to user properities, then UNIX Attributes, at the bottom I have to chose only one field from list.
So how can I add other groups, and how can I chose the servers on which user should have other default group after authentication?
Not exactly.. Because when I add user to some gropups admin or not admin.. how did linux know, should he have full access on server 1 and regular user access on server 2?
I think this is not possible via windows AD..
I fix it at the moment, by creating normal group for all users in AD, and when the user needs root privilages, I add him to sudoers on specific server. That's working for me.
So I suppose that is the one good solution to manage AD users on Linux boxes. Or maybe you have some other idea, how to manage them via AD?
it should all be working as I understand it, it's extremely possible and I've used it plenty. You add users to the group in AD, and that membership should show up on, for example, "getent group" on Linux. That group is then references in /etc/sudoers, /etc/security/access.conf or such like.