We integrated our Linux environment into our AD 2016. Now an additional request is to add autofs service, via AD, to provide to the admins (Linux-admins, DB-admins, Application-admins) their personal /home . We have to administer roughly 600 VMs and physical Linux servers. There’re now some concerns in regard to security. What if one of the admins have malicious sw in his /home which could probably infect other servers? My question is, how is this done at other sites to have a “more” secure approach? Is ther a best practice approach available?
BR
Asked
Active
Viewed 253 times
2
-
1Are you asking about the authentication of users via AD to your Autofs disk servers, or about the deployment of an AutoFS configuration via AD? An example or two might come in useful. – roaima Feb 16 '18 at 15:12
-
There are linux admins, db admins, application admins and other users which have to logon to all these servers. Now, the question came up, if it would be a good question to implement a autofs service, so that each of these users have their /home mounted to the servers. There are now some cencerns regarding security. When they have mounted /home to all these servers, and have some malicious sw in their /home, it "could" infect all the servers. My question is more, how is this request addressed @other customers? – Feb 16 '18 at 15:39
-
At that scale you really should consider using a FreeIPA domain with trust to AD. – Michael Hampton Feb 19 '18 at 18:01
-
I wouldn't go mounting home directories on random production servers. However, if you do I would definitely use FreeIPA as @MichaelHampton suggested. It'll make this a lot easier. – Spooler Feb 19 '18 at 18:38
-
@roaima The same reason we don't use screwdrivers to drive nails. The right tool for the job. AD is designed for Windows environments, and FreeIPA is designed to manage Linux environments. In particular FreeIPA has a lot of Linux-specific functionality that AD does not, such as managing sudoers or SELinux rules. – Michael Hampton Feb 19 '18 at 23:23