-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/20/2016 08:02 AM, Jakub Hrozek wrote:
On Wed, Jan 20, 2016 at 12:16:50PM -0000, hsc(a)miracle.dk wrote:
> Hi
>
> I have several users in my AD. All of them can now login with ssh
> to the Linux server which is not intended.
>
> In the AD I have the group MyTestGrp. I want only users in that
> group to have access to this server.
>
> Testing on the Linux server provides the information necessary
> ("admjoin" should not have access):
>
> avgjoe@host007:~$ getent passwd admjoin
>
admjoin:*:1905540256:1905400513:AdmJoin:/home/corp.acme.com/admjoin:/ bin/bash
>
>
avgjoe@host007:~$ getent group MyTestGrp
> MyTestGrp:*:1905738908:avgjoe,bob
>
> Where should I add MyTestGrp in the configuration files?
>
> I have looked around in /etc/sssd/ and /etc/pam.d/ without
> success.
>
> It is working now with sudo for the group members so I guess it
> should be possible.
access_provider=simple simple_allow_groups=MyTestGrp
Alternately, if you want to manage things in AD itself, you can use:
access_provider=ad
ad_gpo_access_control=enforcing
Then you can set up GPO-based access control by setting "Allow
Interactive Remote Logon" (for ssh) and "Allow Interactive Logon" (for
console/graphical login) in a GPO applied to the machine(s).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlaf4YIACgkQeiVVYja6o6PrSgCfZKMYgj+s210jOeaQvPCjVSzt
cwIAn00h3AkTfS4K7TQNJKRDZCJ5Kq8q
=e6aU
-----END PGP SIGNATURE-----