I have had Linux Active Directory integrations many times in the past and thought I should blog / document some of it.
I want single sign on for my environment and I have a mixture of Windows and Linux systems. First of all I like Active Directory and its the natural solution for Windows systems so I want to hook my Linux systems into that.
This as it turns out is easy and has many many different methods, but the one I have chosen to use (only because I have got it working reliably) is to use BeyondTrust PowerBroker Identity Services.
I am not going to copy and paste documentation that describes how to install PBIS (note it used to be called Likewise Open) as that can be found written very well elsewhere. I have included links to some good examples below. This is to document something that took me a long time to find. Once I have Linux Active Directory login working how do I lock it down to specific groups?
First some background:
PBIS uses a registry for configuration. This mimics the Windows registry including its own registry editor, although this editor is command line.
Ubuntu 12.04 /opt/pbis/bin folder contains all the PBIS executables including regshell, config, lwsm, enum-users, domainjoin-cli and lots of other goodies.
To find the list of groups that can login (by default all domain users can login)
:/opt/pbis/bin# ./config --show RequireMembershipOf
To set Linux Active Directory login for specific groups
:/opt/pbis/bin# ./config RequireMembershipOf "domain\\group1" "domain\\group2"
then remember to refresh the configuration (and expire cached Kerberos tokens)
:/opt/pbis/bin# lwsm refresh :/opt/pbis/bin# ad-cache --delete-all
References and other cool links related to this article.
- PBIS Manual
- Andy Smiths guide to using Likewise Open (Alot of this has changed)
- Ubuntu forum on debugging Likewise on 10.04
- AD Auth thead on Ubuntu forums for 14.04