If you're running Linux servers in a Windows domain, it would be pretty cool if Domain users could authenticate to your servers using their domain credentials and then sudo to root. But of course you'll want to prevent each and every user having access to all your servers. Instead, you'll want to restrict access to members of a specific user group.
This howto shows the basic steps needed to allow members of the "admins" group to login and get a shell.
apt-get install libpam-krb5 sudo.
Change in /etc/samba/smb.conf:
winbind refresh tickets = yes template shell = /bin/bash template homedir = /home/%D/%U
Restart winbind for the changes to take effect.
Choose Unix and Kerberos.
Configure which users may actually start a shell session when they are logged in. Add at the end of /etc/pam.d/common-session:
# always allow root session [success=1 default=ignore] pam_succeed_if.so debug uid = 0 # other users only if members of the admin group (resolved through winbind) session required pam_succeed_if.so debug user ingroup [admins]
To allow these users to get a root shell using sudo, run visudo and paste in the following line:
%admins ALL=(ALL:ALL) ALL
That should get the basics to work. You'll now probably want to combine this with a NFS-shared /home/LOCALLAN mount (note the idmap config parts in my domain join howto) and PAM's mkhomedir module to auto-create server-side home directories for users that haven't logged in before.
Thanks to Kai for testing.