LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Kerberos auth with ldap to active directory -advenced group options (https://www.linuxquestions.org/questions/linux-server-73/kerberos-auth-with-ldap-to-active-directory-advenced-group-options-4175431921/)

grzeslaw 10-12-2012 04:26 PM
Kerberos auth with ldap to active directory -advenced group options
 
Hello,

I made a proper installation of kerberos with ldap authentication for users which have accounts on AD. I create group wheel in AD, and when user is logging to linux box, using the credentials from AD, he is assigned to group wheel, so he is able to made sudo su. That is nice solution for sysadmins in team.

But I am wondering about one thing.. If for example I have user in AD, and I would like to grant him access to server X as admin (wheel group), and server Y, which I want to be accessed by the same user, but without admin access.. I am able to set only one group in Windows AD.. So could I deal with it?

Does any of expirenced users have some idea how can I do it?

acid_kewpie 10-12-2012 04:34 PM
Why can you only set one group? You should be able to generically use any group membership in AD as normal and just add a GID to those AD groups, and have them work as posix groups too.

You might want to a look a translucent openldap proxy to potentially add in additional attributes that AD can't handle for whatever reason, but there IS a way to do it in AD properly.

grzeslaw 10-14-2012 07:33 AM
Ok, but when I go in AD to user properities, then UNIX Attributes, at the bottom I have to chose only one field from list.
So how can I add other groups, and how can I chose the servers on which user should have other default group after authentication?

acid_kewpie 10-14-2012 09:43 AM
http://i.technet.microsoft.com/dynimg/IC157443.gif

grzeslaw 10-14-2012 01:48 PM
Yeah, ok I could add users to the groups..
But what if I have user, which should have root access to server 1,2 and 3, but on server 4 and 5, he should should have limited access?

acid_kewpie 10-14-2012 02:01 PM
then have multiple groups, that's the whole point you started off with, right?

grzeslaw 10-14-2012 02:06 PM
Not exactly.. Because when I add user to some gropups admin or not admin.. how did linux know, should he have full access on server 1 and regular user access on server 2?

I think this is not possible via windows AD..
I fix it at the moment, by creating normal group for all users in AD, and when the user needs root privilages, I add him to sudoers on specific server. That's working for me.

So I suppose that is the one good solution to manage AD users on Linux boxes. Or maybe you have some other idea, how to manage them via AD?

acid_kewpie 10-15-2012 02:17 AM
it should all be working as I understand it, it's extremely possible and I've used it plenty. You add users to the group in AD, and that membership should show up on, for example, "getent group" on Linux. That group is then references in /etc/sudoers, /etc/security/access.conf or such like.

grzeslaw 10-16-2012 02:39 AM
Thanks for your help acid_kewpie!

I implement ths solution on few servers and it's working fine ;)


All times are GMT -5. The time now is 09:55 PM.