1

I have done some research on the topic, but I can't quite find a straight answer to my question. Please tell me if my understanding is correct.

Kerberos can be used as the bridge between a Linux/Unix OS and the Windows AD. Policies (e.g. user/group 'A' has access to resources 'X' and 'Y' but not 'Z') can be set in AD and Kerberos enforces these policies. So a RHEL server can have user accounts without passwords (i.e. locked accounts), but these users can still authenticate to the server if Kerberos directed by AD policy says they should have access.

My concern is that a Linux account without a password in the shadow file can be granted access if they are a member of the AD domain, but no longer should have access to the Linux server. In an unrelated organization, I have bound an iMac to a AD and any member of the domain can access the iMac.

Andrew
  • 209
  • 3
  • 9

1 Answers1

0

If I understand your question, the answer is no. Linux can use AD via Kerberos + LDAP and SSSD or various other methods to get account login details, and account authentication.

Linux doesn't, out of the box, get any policies. Policies or authorization are set in the system that you're authenticating against. So if you're accessing a Windows fileshare, you set the permissions on that Windows server. If you're accessing a Linux fileshare, you set permissions on that Linux server...

Linux doesn't read the AD "allow log on to attribute", instead you would need to use PAM or other Linux settings to say who can log in.

jmp242
  • 668
  • 3
  • 13
  • I think this answers my question (though not the answer I wanted). Organization ABC, Inc. has a AD domain, a variety of servers, and uses Kerberos. User JSMITH has an account on a RHEL server and the AD. The RHEL server does not store a password for JSMITH or any other users because it uses Kerberos to authenticate via the AD credentials. Now JSMITH transfers from IT to HR and no longer needs access to the RHEL server, but he is still in the AD. You are saying this is not controlled via the AD, but on the RHEL server, correct? – Andrew Mar 11 '15 at 16:24
  • 1
    Yes, the RHEL server will need to be told to no longer allow the user to log in. – jmp242 Mar 13 '15 at 12:28