Linux Active Directory login for specific groups

I have had Linux Active Directory integrations many times in the past and thought I should blog / document some of it.

I want single sign on for my environment and I have a mixture of Windows and Linux systems. First of all I like Active Directory and its the natural solution for Windows systems so I want to hook my Linux systems into that.

This as it turns out is easy and has many many different methods, but the one I have chosen to use (only because I have got it working reliably) is to use BeyondTrust PowerBroker Identity Services.

I am not going to copy and paste documentation that describes how to install PBIS (note it used to be called Likewise Open)  as that can be found written very well elsewhere. I have included links to some good examples below. This is to document something that took me a long time to find. Once I have Linux Active Directory login working how do I lock it down to specific groups?

First some background:
PBIS uses a registry for configuration. This mimics the Windows registry including its own registry editor, although this editor is command line.

Ubuntu 12.04 /opt/pbis/bin folder contains all the PBIS executables including regshell, config, lwsm, enum-users, domainjoin-cli and lots of other goodies.

To find the list of groups that can login (by default all domain users can login)

:/opt/pbis/bin# ./config --show RequireMembershipOf

To set Linux Active Directory login for specific groups

:/opt/pbis/bin# ./config RequireMembershipOf "domain\\group1" "domain\\group2"

then remember to refresh the configuration (and expire cached Kerberos tokens)

:/opt/pbis/bin# lwsm refresh
:/opt/pbis/bin# ad-cache --delete-all

References and other cool links related to this article.

 

PowerShell 3.0 jumpstart

I was once in doubt about Microsofts attempt to replicate the all powerful *nix command line with PowerShell but my eyes were opened and I got on the bandwagon. Now you will find me gathering information, solving problems and generally having a great time in PowerShell ISE. The lightbulb moment came when I took the PowerShell 3.0 Jumpstart course on Microsoft Virtual Academy.

It starts slow and steady. No prior PowerShell needed, however you do need to leave your preconceptions behind if you are coming from Bash, Bourne, Csh, Zsh, Dos or any other shell. The two presenters are legends Jeffrey Snover was the lead architect behind PowerShell and Jason Helmick is a long time Microsoft trainer and generally great guy.

What are you going to learn watching the PowerShell 3.0 jumpstart?

I learned alot, I could put powerhsell together before but I wouldn’t have said I understood what I was doing, After this I feel more confident in just typing out what I want and most of the time it works 🙂

PowerShell really does rock!