I am talking about using the Samba4-ad-dc in conjunction with PAM or some other method I haven't thought of to prevent users from logging on to certain servers. For example I want my web designers to be able to login to the web server, but I don't want them to login to the VM server because they aren't suppose to be managing the virtual machines. I hope to manage it via group membership if possible. On 12/08/2014 12:04 PM, Marc Muehlfeld wrote:> Hello John, > > Am 08.12.2014 um 11:55 schrieb John Lewis: >> What way do you recommend implementing host based access control? Should >> I use GPO or LDAP host attribute? > > What are you exactly talking about? > > As more information you give, as higher is the chance to get an > (helpful) answer ;-) > > > > Regards, > Marc >
Hello John, Am 08.12.2014 um 18:22 schrieb John Lewis:> I am talking about using the Samba4-ad-dc in conjunction with PAM or > some other method I haven't thought of to prevent users from logging on > to certain servers.You can't do this with GPO, because nothing on the server can interpret the GPO stuff. And I don't recommend to change the directory ACLs for that! You can configure PAM to allow local/remote logins only for members of an (LDAP) group. There are many tutorials about that on the internet. Regards, Marc
Hi, If you are using windows as a client... Samba AD DC GPO do support client and host limitation with time limit. But I'm not too sure if that happen to any linux client... On Tue, Dec 9, 2014 at 1:30 AM, Marc Muehlfeld <mmuehlfeld at samba.org> wrote:> Hello John, > > Am 08.12.2014 um 18:22 schrieb John Lewis: > > I am talking about using the Samba4-ad-dc in conjunction with PAM or > > some other method I haven't thought of to prevent users from logging on > > to certain servers. > > You can't do this with GPO, because nothing on the server can interpret > the GPO stuff. And I don't recommend to change the directory ACLs for that! > > You can configure PAM to allow local/remote logins only for members of > an (LDAP) group. There are many tutorials about that on the internet. > > > Regards, > Marc > -- > To unsubscribe from this list go to the following URL and read the > instructions: lists.samba.org/mailman/options/samba >
On 12/08/2014 12:30 PM, Marc Muehlfeld wrote:> Hello John, > > Am 08.12.2014 um 18:22 schrieb John Lewis: >> I am talking about using the Samba4-ad-dc in conjunction with PAM or >> some other method I haven't thought of to prevent users from logging on >> to certain servers. > > You can't do this with GPO, because nothing on the server can interpret > the GPO stuff. And I don't recommend to change the directory ACLs for that! > > You can configure PAM to allow local/remote logins only for members of > an (LDAP) group. There are many tutorials about that on the internet. > > > Regards, > Marc >PAM it is then. I am considering this one solved.