[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AD homedir config, group restriction

Subject: Re: AD homedir config, group restriction
From: Ben Staffin <email@hidden>
Date: Wed, 21 Apr 2004 22:05:55 -0500
User-agent: Mutt/1.5.5.1+cvs20040105i

Charles,

We do have the AD broken up into OU's. Lotsof them in fact. For
instance I have OU=math,OU=las,DC=ad,DC=uiuc,DC=edu. Most (all,
actually) of the user accounts are not inside of my OU, though I can
make accounts there if I need to. What I need to do is restrict logins
on machines to users who are in specific groups.

I wonder if I could simply use pam_group in /etc/pam.d/login and such.
I am not entirely clear on how loginwindow handles authentication and
authorization.

* Charles H Biel <email@hidden> [2004-04-21 19:02] wibbled:
> Hi Ben,
>
> Our AD admins broke groups up into OU's on the server side, which
> may be one approach to solving this problem. The primary reason this
> was done was to limit Windows guest users to certain computers on the
> domain. It quickly proved useful for other purposes. If a user is
> mapped to a certain OU, then you may be able to assume certain other
> settings. The more you are willing to customize, the more options you
> will have. It will probably mean more difficulty when the time comes
> for major system upgrade or migration.
>
> Hope this helps,
> Charles
>
> On Wed, 21 Apr 2004, Ben Staffin wrote:
>
> > I've got two questions.
> >
> > 1) How do I restrict which groups of people are permitted to log in to a
> > mac attached to AD? I currently use AD for my lab machines, to which
> > anyone can log in. That's fine - but for office machines and other
> > non-public machines, I'd like to be able to specify which AD groups can
> > "log in locally", as Windows would call it.
> >
> > 2) Is there some way to specify _where_ AD users' home directories are?
> > My AD does not specify any homedir. Again, this is fine for my public
> > labs, where everybody gets a dynamically-created homedir, but for
> > machines in offices and such, people have homedirs on an AFP server.
> > Mounting them on login shouldn't be that hard, but afaict, the system
> > will still think that the homedir is /Users/username.
> >
> > Bonus points if you think up a way to have _some_ users have a specified
> > AFP or SMB or AFS homedir, and the rest get a generic autocreated
> > homedir on login.
> >
> > --
> > /--
> > | Ben Staffin
> > perpetual nerd |
> > --/
> > _______________________________________________
> > maclabmanager mailing list | email@hidden
> > Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/maclabmanager
> > Do not post admin requests to the list. They will be ignored.
> _______________________________________________
> maclabmanager mailing list | email@hidden
> Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/maclabmanager
> Do not post admin requests to the list. They will be ignored.
>

--
/--
| Ben Staffin
perpetual nerd |
--/
_______________________________________________
maclabmanager mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/maclabmanager
Do not post admin requests to the list. They will be ignored.

References:
	>AD homedir config, group restriction (From: Ben Staffin <email@hidden>)
	>Re: AD homedir config, group restriction (From: Charles H Biel <email@hidden>)

Prev by Date: Re: AD homedir config, group restriction
Next by Date: PAM?!
Previous by thread: Re: AD homedir config, group restriction
Next by thread: PAM?!
Index(es):
- Date
- Thread

Home