Successfully joined my Linux Box to a Windows AD Domain. Wanted to know from other admins if it us possible to specify what groups from windows ad is allowed to login? Otherwise anyone with a AD account can login. Suggestions?
Asked
Active
Viewed 563 times
3 Answers
2
I heartily recommend Likewise-Open for this sort of thing (http://www.beyondtrust.com/Products/PowerBroker-Identity-Services-Open-Edition/), because they make it dead simple to specify the groups able to log in, and the like.
The simplicity and time savings alone is worth checking it out. I built an AD infrastructure specifically to authenticate Linux users against AD, and I used this tool to do the configuration. I'm not a paid shill, I've just had such a good experience with it that I can't talk about it enough.
Starfish
- 2,735
- 25
- 28
Matt Simmons
- 20,396
- 10
- 68
- 116
-
Congrats on the 10K! – Dennis Williamson May 13 '10 at 01:41
-
congrats on 10K! – Mark Henderson May 13 '10 at 03:41
1
Go to where the computer object is located in AD and right click and select Properties. Under the security tab you can specify who has access and their rights on the machine.
Campo
- 1,609
- 17
- 33
-
Have you verified that this works with Linux hosts? I may be wrong, but I'm nearly 100% certain that it does not. – EEAA May 10 '10 at 22:03
1
I've recently completed a Linux/AD integration project at my employer. I tried out Likewise, but didn't appreciate the complete mess it made out of the LDAP tree in Active Directory. Anyway, I ended up going the "homebrew" route with mit-kerberos, ldap, and pam_ldap - we couldn't be happier. I use the AllowGroups directive in my sshd_config to limit which AD groups are able to authenticate to the server. This has worked quite well for us so far.
EEAA
- 109,363
- 18
- 175
- 245