What are the best-practices for using Active Directory to authenticate users on linux (Debian) boxes?
The way I would like it to work would be to add AD users to a group – say linux administrators or linux webserver, and based on their group membership they would/would not be granted access to a particular server. Ideally the root account would be the only one maintained in the standard way.
My goals in doing this are as follows:
- To allow password changes in one place
- To automatically grant certain people access to the linux servers using their AD credentials
- To consolodate all of our user information into one database
Things I want to avoid are:
- anything difficult/counter-intuitive for our Active Directory administrator to manage
- locking users out if the AD servers are unreachable for some reason (ie – it needs to cache the credentials somehow)
- anything too complex or non-standard that will break the next time I upgrade the server.
Best Answer
Also see Linux clients on a Windows domains and How practical is it to authenticate a Linux server against AD?