0

Unlike: Linux + Active directory authentication + only letting certain groups login

Which is a full AD solution for Linux, limited to groups.

What I want is:

A simple way a random internal Linux box can use AD to allow logins.

I want this to be restricted, no updates from Linux to AD. In effect this is a ?READONLY? connection.

Examples include:

  • No password updates from Linux (you must use a windows machine)

  • No other updates or modifications etc from Linux to AD.

Why? Generally people require ROOT on these Linux machines. These are developers and need to install numerous tools etc. Rather then have local user accounts, would like to have a centrally managed account repository like AD.

(Which our IT group knows and understands well enough - Linux not so much..)

I need USERNAMES + GROUP NUMBERS to be consistent across platforms for other reasons.

I could use YP (NIS) but the IT group likes AD for various reasons.

Greg Askew
  • 39,132
user3696153
  • 101

2 Answers2

0

Depending on the size of your company, if you have budge etc., it sounds like you need a 3rd party solution such as Centrify

strongline
  • 680
0

I would argue that Developers should be able to do most of what they need to do on a Linux machine without needing root access.
"Configuration"? OK.
Compiling? Not so much.

Habitually running as root is like disabling UAC on Windows. "Easy" but ill-advised.

What's wrong with letting individual Developers log into the machine as themselves, using A.D. to do the authentication, manage their UID & GID, etc., and then have them sudo to root if they need to do so.
(Isn't that the recommended way of doing things?)

IIRC, it's possible to control both "shell" access to the machine and sudo access via an A.D. Group, so there would be minimal hands-on changes required on the server itself.

Phill W.
  • 1,612