LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-21-2009, 12:06 PM   #1
dsdonut
LQ Newbie
 
Registered: Jan 2009
Posts: 22

Rep: Reputation: 0
Question Using Active Directory groups in sshd_config


I tried posting this a little bit ago, but it doesn't look like it went through.

I've successfully set up a test linux server to authenticate to our Active Directory environment. To do that, I used the procedures from this article:

http://technet.microsoft.com/en-us/m....12.linux.aspx

Now, i want to restrict SSH logon to only certain AD groups. Is this possible? I've tried adding the groups to the sshd_config file, but that doesn't seem to work. (AllowUsers Groupname)

A. Is this even possible?
B. If it is possible, how can I get it to work?

If it is possible, I'd also like to use AD groups in the sudoers file.

Last edited by dsdonut; 01-21-2009 at 02:17 PM.
 
Old 01-21-2009, 02:33 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976
Strange, I was working on a very similar scenario just the other day.

Dealing with users under linux is very very often a case of dividing and conquering each constituent part. After, of course, appreciating what those parts are. You can not define an AD group specifically, it's just not logical. You merely specify a group which the underlying authentication system is aware of. if it just so happens that that group is accessed via LDAP / Samba within AD, then that's a happy coincidence for you.

Right here your first division is to ensure that your user base is correct. you need to be able to run "getent group" and "id -G myexampleuser" and get all the applicable groups back in standard posix format. I'd written all the above without reading the link you posted, assuming that you were using LDAP, and it still holds 100% if you're using winbind, which backs up the point here.

So get the getent stuff returning the right data, and once that's done using that data to your own end is pretty trivial.

Once you have got that then your queries above will be trivial. BUT don't go messing with sshd_config (i think) it's pretty ugly compared to using a more elegant and generic mechanism as found under /etc/security/access.conf which will do all you want, better, and way more if you want it.
 
Old 01-29-2009, 11:44 AM   #3
dsdonut
LQ Newbie
 
Registered: Jan 2009
Posts: 22

Original Poster
Rep: Reputation: 0
still looking at this

the results of the id command return a bunch of numbers - I'm assuming these are the GIDs of all the AD groups that the user belongs to.

The getent group command lists all the local groups on the linux box.

Do I need to create a group on the linux box then use the net groupmap command to map that group to an AD group? If so, how exactly do I do that? I've tried it, but it doesn't seem to work.
 
Old 01-29-2009, 01:24 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976
No, as and when your AD details are correctly configured and integrated with your system, then your AD groups will appear in the getent output, and be totally indistinguishable from local groups from that point on.
 
Old 01-29-2009, 03:05 PM   #5
dsdonut
LQ Newbie
 
Registered: Jan 2009
Posts: 22

Original Poster
Rep: Reputation: 0
/etc/security/access.conf

Also, how do I get /etc/security/access.conf to take effect? I've tried editing it, but my changes don't seem to have taken effect. What needs to be restarted?
 
Old 01-29-2009, 03:07 PM   #6
dsdonut
LQ Newbie
 
Registered: Jan 2009
Posts: 22

Original Poster
Rep: Reputation: 0
every group?

Every AD group will be listed in getent?

none of mine are listed. AD users can authenticate, but I have no idea how to get access to the groups.
 
Old 01-29-2009, 03:31 PM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976
access.conf will be loaded automatically. You might want to ensure it is being read by pam, normally in /etc/pam.d/

As for the groups, if they are not listed then you'd not set your windbind up correctly, i'd check back to your documentation, as I haven't done this sort of thing over winbind, only ldap.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Username & Password Sync Fedora Directory and Microsoft Active Directory karnac01 Fedora 4 07-19-2010 01:51 AM
Active Directory groups via Samba/Winbind? dsdonut Linux - Newbie 3 01-23-2009 04:26 PM
samba and active directory groups kapilcool Linux - Software 1 01-16-2007 10:34 PM
Active Directory Groups with Samba??? beat_researcher Linux - Networking 0 06-14-2004 05:33 PM
Squid authentication using Active Directory Groups will not work kepler Linux - Networking 1 05-25-2004 01:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 01:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration