If you're running Linux servers in a Windows domain, it would be pretty cool if Domain users could authenticate to your servers using their domain credentials and then sudo to root. But of course you'll want to prevent each and every user having access to all your servers. Instead, you'll want to restrict access to members of a specific user group.
This howto shows the basic steps needed to allow members of the "admins" group to login and get a shell.
apt-get install libpam-winbind.
Change in /etc/samba/smb.conf:
winbind refresh tickets = yes template shell = /bin/bash template homedir = /home/%D/%U
Choose Unix and Winbind.
Configure authentication (the part that verifies users' passwords and makes sure they are who they claim to be). Add in /etc/pam.d/common-auth:
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE \ cached_login try_first_pass \ require_membership_of=[LOCALLAN\Admins]
Configure which users may actually start a shell session when they are logged in. Add in /etc/pam.d/common-session:
# always allow root session [success=1 default=ignore] pam_succeed_if.so debug uid = 0 # other users only if members of the admin group (resolved through winbind) session required pam_succeed_if.so debug user ingroup admins
To allow these users to get a root shell using sudo, run visudo and paste in the following line:
%admins ALL=(ALL:ALL) ALL