Authenticating Windows Domain users on Linux servers

If you're running Linux servers in a Windows domain, it would be pretty cool if Domain users could authenticate to your servers using their domain credentials and then sudo to root. But of course you'll want to prevent each and every user having access to all your servers. Instead, you'll want to restrict access to members of a specific user group.

This howto shows the basic steps needed to allow members of the "admins" group to login and get a shell.

  1. Perform a domain join.

  2. apt-get install libpam-krb5 sudo.

  3. Change in /etc/samba/smb.conf:

    winbind refresh tickets = yes
    
    template shell   = /bin/bash
    template homedir = /home/%D/%U

    Restart winbind for the changes to take effect.

  4. Now run:

    pam-auth-update --force

    Choose Unix and Kerberos.

  5. Configure which users may actually start a shell session when they are logged in. Add at the end of /etc/pam.d/common-session:

    # always allow root
    session [success=1 default=ignore] pam_succeed_if.so debug uid = 0
    # other users only if members of the admin group (resolved through winbind)
    session required pam_succeed_if.so debug user ingroup [admins]
  6. To allow these users to get a root shell using sudo, run visudo and paste in the following line:

    %admins ALL=(ALL:ALL) ALL

That should get the basics to work. You'll now probably want to combine this with a NFS-shared /home/LOCALLAN mount (note the idmap config parts in my domain join howto) and PAM's mkhomedir module to auto-create server-side home directories for users that haven't logged in before.

Thanks to Kai for testing.