Tag Archives: AD

Linux Active Directory login for specific groups

I have had Linux Active Directory integrations many times in the past and thought I should blog / document some of it.

I want single sign on for my environment and I have a mixture of Windows and Linux systems. First of all I like Active Directory and its the natural solution for Windows systems so I want to hook my Linux systems into that.

This as it turns out is easy and has many many different methods, but the one I have chosen to use (only because I have got it working reliably) is to use BeyondTrust PowerBroker Identity Services.

I am not going to copy and paste documentation that describes how to install PBIS (note it used to be called Likewise Open)  as that can be found written very well elsewhere. I have included links to some good examples below. This is to document something that took me a long time to find. Once I have Linux Active Directory login working how do I lock it down to specific groups?

First some background:
PBIS uses a registry for configuration. This mimics the Windows registry including its own registry editor, although this editor is command line.

Ubuntu 12.04 /opt/pbis/bin folder contains all the PBIS executables including regshell, config, lwsm, enum-users, domainjoin-cli and lots of other goodies.

To find the list of groups that can login (by default all domain users can login)

:/opt/pbis/bin# ./config --show RequireMembershipOf

To set Linux Active Directory login for specific groups

:/opt/pbis/bin# ./config RequireMembershipOf "domain\\group1" "domain\\group2"

then remember to refresh the configuration (and expire cached Kerberos tokens)

:/opt/pbis/bin# lwsm refresh
:/opt/pbis/bin# ad-cache --delete-all

References and other cool links related to this article.