On 11/3/21 6:56 AM, Rowland Penny via samba wrote:> On Wed, 2021-11-03 at 09:44 -0300, Cyrus wrote:
>> Thanks for the feedback. In the past, were MS AD was already present,
>> it was the working recipe in my experience.
>>
>> In this case, starting from scratch I would be happy to go with just
>> one solution.
>>
>> I wasn't able to find documentation to implement sudoers or HBAC.
>> Does it require schema extensions?, are they supported through
>> regular CLI tools or they require direct LDAP manipulation?.
>>
>> If you could share any pointers to related documentation, it would be
>> great. For some reason I'm failing to find them.
>
> Yes, you have to extend the AD schema for sudoers, then you use sudo
> with ldap. I can help with the first and there is quite a bit out there
> about the second. As for HBAC, presumably you can use GPO's for this
> and David Mulder would know about this, talking about his work with
> Samba AD and GPO's, he has provided another method for sudo.
>
You can distribute sudoers policies and host access control via Samba
GPO (just as you would deploy Windows GPOs). I'm happy to show you how,
but you can also read about it here:
https://wiki.samba.org/index.php/Group_Policy#Sudoers_Policies
https://wiki.samba.org/index.php/Group_Policy#PAM_Access_Policies
--
*David Mulder*
Labs Software Engineer, Samba
SUSE
1800 Novell Place
Provo, UT 84606
(P)+1 801.861.6571
dmulder at suse.com
<http://www.suse.com/>