On Wed, 2021-11-03 at 09:44 -0300, Cyrus wrote:> Thanks for the feedback. In the past, were MS AD was already present, > it was the working recipe in my experience. > > In this case, starting from scratch I would be happy to go with just > one solution. > > I wasn't able to find documentation to implement sudoers or HBAC. > Does it require schema extensions?, are they supported through > regular CLI tools or they require direct LDAP manipulation?. > > If you could share any pointers to related documentation, it would be > great. For some reason I'm failing to find them.Yes, you have to extend the AD schema for sudoers, then you use sudo with ldap. I can help with the first and there is quite a bit out there about the second. As for HBAC, presumably you can use GPO's for this and David Mulder would know about this, talking about his work with Samba AD and GPO's, he has provided another method for sudo. Rowland
On 11/3/21 6:56 AM, Rowland Penny via samba wrote:> On Wed, 2021-11-03 at 09:44 -0300, Cyrus wrote: >> Thanks for the feedback. In the past, were MS AD was already present, >> it was the working recipe in my experience. >> >> In this case, starting from scratch I would be happy to go with just >> one solution. >> >> I wasn't able to find documentation to implement sudoers or HBAC. >> Does it require schema extensions?, are they supported through >> regular CLI tools or they require direct LDAP manipulation?. >> >> If you could share any pointers to related documentation, it would be >> great. For some reason I'm failing to find them. > > Yes, you have to extend the AD schema for sudoers, then you use sudo > with ldap. I can help with the first and there is quite a bit out there > about the second. As for HBAC, presumably you can use GPO's for this > and David Mulder would know about this, talking about his work with > Samba AD and GPO's, he has provided another method for sudo. >You can distribute sudoers policies and host access control via Samba GPO (just as you would deploy Windows GPOs). I'm happy to show you how, but you can also read about it here: wiki.samba.org/index.php/Group_Policy#Sudoers_Policies wiki.samba.org/index.php/Group_Policy#PAM_Access_Policies -- *David Mulder* Labs Software Engineer, Samba SUSE 1800 Novell Place Provo, UT 84606 (P)+1 801.861.6571 dmulder at suse.com <suse.com>