On 2013-11-25 17:57, Adam Compton wrote:
The way we do this at $WORK is roughly the following:
* Each Linux host has an /etc/krb5.conf that tells it about the AD realm
* We run a script that queries AD via LDAP for all of the user and group data
and crafts /etc/passwd and /etc/group accordingly (retaining system service
accounts, etc.)
* sshd is configured with "GSSAPIAuthentication yes"
* We instruct users to use "GSSAPIAuthentication yes" in their ssh .config
files, and to run "kinit" at appropriate intervals or automatically on login,
etc.
With this configuration, users can connect with SSH and authenticate with
their Kerberos TGT, and the list of groups is pulled directly from AD.
Further, the script that builds /etc/passwd can be configured to limit the
users it configures to only the members of one or more specific groups, so
users in AD who are not in those groups are never even configured on the box
and cannot possibly log in. Our actual configuration has some more features on
top of this (UIDs are derived from the RID in AD, so they're consistent for
that user across all machines and the entire lifetime of that account object;
the "loginShell" AD attribute is respected; disabled accounts are disabled,
etc.), but that's essentially the idea.
Another issue with this setup is that the TGT doesn't get renewed
automatically the way pure kerberos login and Windows do it.
--
Yves.
It's Movember... http://mobro.co/yvesdorfsman
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
