[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Qs re: ActiveDirectory authentication & perms

On Mon, May 22, 2017 at 9:59 AM, Kent West <westk@acu.edu> wrote:
I'm not quite sure what questions to ask...

I have a Debian box used by 10 or 12 people on a university campus; most of them are using it just as file-storage via Samba from their Windows/Macs boxes; a few are ssh'ing into it, etc, for other usages; some have web sites on it.

For years their accounts have been maintained as local accounts on that Debian box, but as we're swapping out hardware, I'm also thinking it's time to swap out account management to let our campus-wide Active Directory provide their accounts instead of them (and me) having to maintain two separate sets of account credentials (three, if you include the samba file-sharing account on the old Debian setup).

After considerable hair-pulling, I've managed to get the box to authenticate using their AD credentials, so that a user can simply ssh in without having an account on the box, using their AD credentials. But of course, their User IDs in AD are different than they were on the old Debian box, so their file permissions are different.

Since it's just a dozen users or so, I can easily "id" their AD UID and "chown -R" their files in their home directory (which have been copied over manually from the old Debian box) to their AD UID.

But that leaves several questions:


3) Can I limit logins/file-sharing to just a subset of campus users (one department, not just anyone having a campus account)?

To answer my own question on this.

A detail I left out was that I set up my AD-authentication via "realmd", as per this site:


To restrict logins to just certain users/groups, simply edit /etc/sssd/sssd.conf, like as in this snippet:

#access_provider = ad
access_provider = simple
simple_allow_users = westk
simple_allow_groups = technology support admins,Mathematics

I could have left the "= ad" option and used more complex "allow" lines (see docs for sssd.conf), but the "simple" option was easier. Anyone not specified in an "allow" line is implicitly denied.

Don't forget you have to restart sssd after making any changes - systemctl restart sssd

Note that there are other ways of accomplishing this task also (tinkering with /etc/pam.d/sshd & /etc/pam.d/login & /etc/security/access.conf & etc), but this route does what I need.

Kent West                    <")))><
Westing Peacefully - http://kentwest.blogspot.com

Reply to: