[SOLVED] Kerberos auth with ldap to active directory -advenced group options
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Kerberos auth with ldap to active directory -advenced group options
Hello,
I made a proper installation of kerberos with ldap authentication for users which have accounts on AD. I create group wheel in AD, and when user is logging to linux box, using the credentials from AD, he is assigned to group wheel, so he is able to made sudo su. That is nice solution for sysadmins in team.
But I am wondering about one thing.. If for example I have user in AD, and I would like to grant him access to server X as admin (wheel group), and server Y, which I want to be accessed by the same user, but without admin access.. I am able to set only one group in Windows AD.. So could I deal with it?
Does any of expirenced users have some idea how can I do it?
Why can you only set one group? You should be able to generically use any group membership in AD as normal and just add a GID to those AD groups, and have them work as posix groups too.
You might want to a look a translucent openldap proxy to potentially add in additional attributes that AD can't handle for whatever reason, but there IS a way to do it in AD properly.
Ok, but when I go in AD to user properities, then UNIX Attributes, at the bottom I have to chose only one field from list.
So how can I add other groups, and how can I chose the servers on which user should have other default group after authentication?
Yeah, ok I could add users to the groups..
But what if I have user, which should have root access to server 1,2 and 3, but on server 4 and 5, he should should have limited access?
Not exactly.. Because when I add user to some gropups admin or not admin.. how did linux know, should he have full access on server 1 and regular user access on server 2?
I think this is not possible via windows AD..
I fix it at the moment, by creating normal group for all users in AD, and when the user needs root privilages, I add him to sudoers on specific server. That's working for me.
So I suppose that is the one good solution to manage AD users on Linux boxes. Or maybe you have some other idea, how to manage them via AD?
it should all be working as I understand it, it's extremely possible and I've used it plenty. You add users to the group in AD, and that membership should show up on, for example, "getent group" on Linux. That group is then references in /etc/sudoers, /etc/security/access.conf or such like.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
