Ns7 and remote AD info

dz00te · May 4, 2018, 11:35am

NethServer Version: 7.4/5
while testing 7.5 i’m playng (after some time) with an ns7 joined with a remote AD (win2k12r2)

some question… if i understand correctly:

i can’t login in ssh with a domain user (without editing sssd.conf), same thing to restrict access to ssh to some domain users or group
after changing sssd conf i can use this to https://wiki.nethserver.org/doku.php?id=howto:useful_commands#allow_a_user_to_the_server-manager
to create group and restrict access to domain admin users
delegation panel seems to not work with remote AD, but i must test it better

it is correct or i am missing some easier way to manage access for remote domain users?

tnx

davidep · May 4, 2018, 7:32pm

Shell access can be enabled in the Users & groups page. Just edit a user and enable the checkbox …IIRC

Here I don’t understand: what do you want to achieve?

dz00te · May 5, 2018, 7:45am

i can’t edit user, I thought it was the normal behavior when joined to a remote AD so in read only mode, do you think i should try a new install?

yes sorry i forgot it to be honest i was only testing update to 7.5 (and btw it seems to works well), but while testing i started trying to replicate basic setup of my config with other servers/appliances at work, what i usually need:

no root access over ssh
joined to AD
ssh and sudo access for a specific group of AD (for administration)
access to webui (if present) for a specific group of AD for admin role
not always requested: access to part of web-ui for one or more domain group usually with no admin right
other tools to monitor and collect logs

at the end i obtained what i need (except the delegation of only a portion of webui) adapting sssd.conf, a small bash script that populate local group administrators with members of my domain group of admin, and adding this domain group to sudoers
i was only thinking if there was a smarter / easier way for lazy admin like me

davidep · May 5, 2018, 8:05am

You’re right: remote ad means read only sorry I missed that… I guess I must study the sssd sudo-gpo module to obtain a working solution!

I obtained it for a remote ns-samba ad, where shell access was enabled. For Ms ad I don’t have a running solution.

The default domain admins group has granted that right.

Please see this

http://docs.nethserver.org/en/v7/accounts.html#groups

@amygos is running an experiment with Graylog, @stephdl and I are building a nethserver-docker package… When we meet together we’ll get a centralized log solution for NethServer

dz00te · May 8, 2018, 1:34pm

yes i’ll study it too

that’s ok I’ve solved editing sssd.conf

yes and it works, but in my case not only the domain admins are the admins of the server, that’s why I’ve made the script

it was only a test, if i need to put in production or some deeper test, i’ll create custom fragment

but there is still a lot to study for me on sssd
however, what i would review is the following line in default sssd.conf:

default_shell = /usr/libexec/openssh/sftp-server

it seems to allow access to sftp to all my domain users. i will retest it as soon as i can
tnx