Ns7 and remote AD info

activedirectory

#1

NethServer Version: 7.4/5
while testing 7.5 i’m playng (after some time) with an ns7 joined with a remote AD (win2k12r2)

some question… if i understand correctly:

it is correct or i am missing some easier way to manage access for remote domain users?

tnx


(Davide Principi) #2

Shell access can be enabled in the Users & groups page. Just edit a user and enable the checkbox …IIRC

Here I don’t understand: what do you want to achieve?


#3

i can’t edit user, I thought it was the normal behavior when joined to a remote AD so in read only mode, do you think i should try a new install?

yes sorry i forgot it :sweat_smile: to be honest i was only testing update to 7.5 (and btw it seems to works well), but while testing i started trying to replicate basic setup of my config with other servers/appliances at work, what i usually need:

  • no root access over ssh
  • joined to AD
  • ssh and sudo access for a specific group of AD (for administration)
  • access to webui (if present) for a specific group of AD for admin role
  • not always requested: access to part of web-ui for one or more domain group usually with no admin right
  • other tools to monitor and collect logs

at the end i obtained what i need (except the delegation of only a portion of webui) adapting sssd.conf, a small bash script that populate local group administrators with members of my domain group of admin, and adding this domain group to sudoers
i was only thinking if there was a smarter / easier way for lazy admin like me :innocent:


(Davide Principi) #4

You’re right: remote ad means read only :frowning: sorry I missed that… I guess I must study the sssd sudo-gpo module to obtain a working solution!

I obtained it for a remote ns-samba ad, where shell access was enabled. For Ms ad I don’t have a running solution.

The default domain admins group has granted that right.

Please see this

http://docs.nethserver.org/en/v7/accounts.html#groups

@amygos is running an experiment with Graylog, @stephdl and I are building a nethserver-docker package… When we meet together we’ll get a centralized log solution for NethServer :wink:


#5

yes i’ll study it too :slight_smile:

that’s ok I’ve solved editing sssd.conf

yes and it works, but in my case not only the domain admins are the admins of the server, that’s why I’ve made the script

it was only a test, if i need to put in production or some deeper test, i’ll create custom fragment

but there is still a lot to study for me on sssd :sweat_smile:
however, what i would review is the following line in default sssd.conf:

default_shell = /usr/libexec/openssh/sftp-server

it seems to allow access to sftp to all my domain users. i will retest it as soon as i can
tnx