LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Using members of AD groups to administer Linux (https://www.linuxquestions.org/questions/linux-newbie-8/using-members-of-ad-groups-to-administer-linux-673614/)

kenwood 10-01-2008 03:56 PM
Using members of AD groups to administer Linux
 
Preface: Unix Newbie, Microsoft Knowledgeable

I am trying to use my MS Enterprise Admins group to allow for linux administration.

I have Samba working and can authenticate to linux with MS EA creds. I have used "net groupmap add ntgroup="Enterprise Admins" unixgroup=root" which completes and lists correctly, but things like ifup and ifdown fail with access denied.

Any assistance is appreciated.

Thanks,

:K

MensaWater 10-02-2008 09:50 AM
Many root commands require the root "user" rather than a root "group". Many of these commands can have different "groups" such as sys, adm, root etc..."

I can't really comment on your attempt to use Windows tools for administering Linux but will caution you to be sure you keep a real root password for each server as there are times you can bring the system up in states like single user where no outside connection is going to work. You do NOT want to rely on having access to some centralized authentication source (or even terminals) in those cases.

What you might try if you're attempting login and then becoming root is to create individual users for each admin and setup sudo (man sudo, man visudo) to allow those admins to switch to root at need.

kenwood 10-02-2008 11:33 AM
Quote:
Originally Posted by jlightner (Post 3298042)
Many root commands require the root "user" rather than a root "group". Many of these commands can have different "groups" such as sys, adm, root etc..."

I can't really comment on your attempt to use Windows tools for administering Linux but will caution you to be sure you keep a real root password for each server as there are times you can bring the system up in states like single user where no outside connection is going to work. You do NOT want to rely on having access to some centralized authentication source (or even terminals) in those cases.

What you might try if you're attempting login and then becoming root is to create individual users for each admin and setup sudo (man sudo, man visudo) to allow those admins to switch to root at need.
Thanks,

I'm not actually trying to use Microsoft tools, just the Microsoft account as my Authentication and Authorization functionality in Linux (i.e. I want to be able to login with my AD creds and administer the Linux box, hopefully without sudo or su). I already have sudo working, but typically prefer that there is some level of Accounting (i.e. I like AAA), and given my general newbieness in Linux I'm not sure I can get accounting/auditing in a good fashion if everyone sudos root.

I am also using the root group, because of my ignorance (which I profess to) with Linux. Ultimately I am trying to understand how to make NT groups become Unix groups. These systems will become Anti-spam boxes and will only have port 25 exposed to the internet, but the Anti-spam package I have also uses unix group membership to administer the programs, and here again I would like to simply have the appropriate team/NT group automatically have rights into Linux, without having to create accounts on every linux box I have.

Any ideas on how to make the NT group become the Unix group, it appears as if groupmap is meant to make Unix groups useable by NT (and I want to go the other way).

Thanks again,

:k


All times are GMT -5. The time now is 05:58 AM.