I am using SSSD to get user AUTH from a backend Samba4 AD/DC.
For Linux clients sssd.conf is configured to query Samba4 AD based on LDAP/Kerberos i.e. the Linux clients have not done a Domain join. Physical console logins -- things are working fine with changes to NSS and PAM (tool authconfig) for domain User AUTH on Linux and Windows clients.
However, I want to restrict access to certain machines to users of a specific group e.g. HR. I guess this is possible on Windows clients with group policies. Is the same possible on CentOS (Linux) workstations.
TIA,
I am using SSSD to get user AUTH from a backend Samba4 AD/DC.
For Linux clients sssd.conf is configured to query Samba4 AD based on LDAP/Kerberos i.e. the Linux clients have not done a Domain join. Physical console logins -- things are working fine with changes to NSS and PAM (tool authconfig) for domain User AUTH on Linux and Windows clients.
However, I want to restrict access to certain machines to users of a specific group e.g. HR. I guess this is possible on Windows clients with group policies. Is the same possible on CentOS (Linux) workstations.
I am not familiar with the inner workings of SSSD, but with pam_listfile you can specify users or groups that must be met for pam to succeed.
On Mon, Nov 3, 2014 at 12:34 PM, Barry Brimer lists@brimer.org wrote:
I am using SSSD to get user AUTH from a backend Samba4 AD/DC.
For Linux clients sssd.conf is configured to query Samba4 AD based on LDAP/Kerberos i.e. the Linux clients have not done a Domain join. Physical console logins -- things are working fine with changes to NSS and PAM (tool authconfig) for domain User AUTH on Linux and Windows clients.
However, I want to restrict access to certain machines to users of a specific group e.g. HR. I guess this is possible on Windows clients with group policies. Is the same possible on CentOS (Linux) workstations.
I am not familiar with the inner workings of SSSD, but with pam_listfile you can specify users or groups that must be met for pam to succeed.
Thanks. This link [1] has a bit more details on the implementation (I found it just after posting the query) for the files. As for PAM <> SSSD interaction, with proper NSS config, the query first goes to the Directory Server, failing which to 'local' /etc/group.
[1] http://www.cyberciti.biz/tips/howto-deny-allow-linux-user-group-login.html
-- Arun Khan
-
Arun Khan -
Barry Brimer