Home / server / Questions / 140381
Accepted
Riaan
Asked: 2010-05-11 11:19:45 +0800 CST

Linux on Windows AD Domain

  • 772

Successfully joined my Linux Box to a Windows AD Domain. Wanted to know from other admins if it us possible to specify what groups from windows ad is allowed to login? Otherwise anyone with a AD account can login. Suggestions?

windows linux samba kerberos winbind

3 Answers

  1. I heartily recommend Likewise-Open for this sort of thing (http://www.beyondtrust.com/Products/PowerBroker-Identity-Services-Open-Edition/), because they make it dead simple to specify the groups able to log in, and the like.

    The simplicity and time savings alone is worth checking it out. I built an AD infrastructure specifically to authenticate Linux users against AD, and I used this tool to do the configuration. I'm not a paid shill, I've just had such a good experience with it that I can't talk about it enough.

    • 2

  2. Go to where the computer object is located in AD and right click and select Properties. Under the security tab you can specify who has access and their rights on the machine.

    • 1
  3. Best Answer

    I've recently completed a Linux/AD integration project at my employer. I tried out Likewise, but didn't appreciate the complete mess it made out of the LDAP tree in Active Directory. Anyway, I ended up going the "homebrew" route with mit-kerberos, ldap, and pam_ldap - we couldn't be happier. I use the AllowGroups directive in my sshd_config to limit which AD groups are able to authenticate to the server. This has worked quite well for us so far.

    • 1