So I've setup an Ubuntu server running the 8.04 release. I set it up to authenticate with our Active Directory using the likewise-open package using these instructions. Part of that setup was giving Domain Admin users who login to the machine sudo access.
Now I'd like to deny login rights for all domain logins except for those users that are in the "Domain Admins" group. Local users should still be able to login. Anyone have any idea how to accomplish this?
On windows, this is done through group policy. Samba currently doesn't have any support for managing *nix clients with group policy (Samba 4 maybe??).
You can try allowing full control of the computer object for "Domain Admins", and removing all of the permissions for "everyone", but I don't think that will prevent login. I'm just wondering if not having the "Allowed to Authenticate" permission may inadvertently block logins. I'm far from being an AD expert, so this is just a guess.
Likewise does have a product to handle this, but I think it's only in their enterprise package.
[Edit] addendum
You can try using the netgroup syntax in /etc/password. You can verify the full name of the group your in by running "id". If your groupname has "\" or " " you may need to escape them.
At the end of your /etc/password file add the line
+@AdminGroup::::::/bin/bash
+@Everyone::::::/sbin/nologin
This was designed for nis netgroups, but it's worth a shot.
Closing in 3 ... 2 ... 1
I can't stand when questions like this (non-programming) get closed.
I get to answer my own question! Jim's train of thought seemed promising but I experimented with it and it doesn't look like the likewise-open LDAP authentication uses anything from the /etc/passwd file.
The correct way I got this to work was by editing /etc/security/pam_lwidentity.conf and un-commenting and editing the following section:
# make successful authentication dependent on membership of one of
# the following SIDs/groups/users (comma-separated)
require_membership_of = MYDOMAIN\domain^admins