I'm looking for suggestions on separating authorization from
authentication under Mac OS-X (Sierra).
I'm attempting to set up a new Mac, following a model that works very
well on our Linux desktops & servers:
The NIS passwd table provides a list accounts that are
_authorized_ to use the department systems. NIS does not have
any passwords.
Linux machines are joined to the Active Directory for
_authentication_. AD has a superset of the data in NIS, plus
passwords.
Linux machines are configured via /etc/pam.d/system-auth and
/etc/nsswitch.conf to require a valid account for authorization
Linux machines are configured using Kerberos
(/etc/pam.d/system-auth and /etc/krb5.conf) to use authentication
via krb5 as sufficient for logins (ie., if there's an account
in NIS, send the password to AD)
The new Mac is bound to Active Directory, that's good, but currently
anyone in the AD can login to the machine. The Mac is also an NIS client,
and queries (ypcat) work fine, listing the users from NIS who should
be allowed access. Both AD and NIS are available in the Open Directory
GUI. So far, so good.
The part I'm missing is how to configure Open Directory to do
_authorization_ lookups only from one data source (NIS) and
_authentication_ only from another (AD).
Any suggestions?
Thanks,
Mark
_______________________________________________
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
