Control and Grant SSH and SUDO Rights to Domain Joined Linux Systems using Active Directory Groups
As with Windows clients, we can use Active Directory security groups to control user SSH login and elevated SUDO rights on domain-joined Linux systems.
Applies to:
Debian Linux, Ubuntu Linux, Red Hat Linux, SUSE Linux, Windows Server 2012 through Windows Server 2025
Chapters
0:00 Introduction
0:38 Create Domain Groups for SSH Access
2:41 Verify AD Group Membership in Linux
3:22 Grant Domain Users SSH Access
5:18 Demonstrate SSH Access
6:46 Grant Domain Users SUDO Rights
8:01 Demonstrate SUDO Rights and Separation of Duties
9:06 Clear SSSD Cache
9:58 Thank you for watching
Glossary:
AD = Active Directory
ADAC = Active Directory Administrative Center
ADDS = Active Directory Domain Services
ADUC = Active Directory Users and Computers
OU = Organizational Unit
SCP = Secure Copy Protocol
SSH = Secure Shell
SSSD = System Security Services Daemon
SUDO = SuperUser DO
UPN = User Principal Name
GitHub:
https://github.com/DariensTips/Contro...
Commands:
Ubuntu: sudo systemctl restart ssh.service
Debian/Red hat/SUSE: sudo systemctl restart sshd.service
sudo systemctl stop sssd
sss_cache -E
rm -f /var/lib/sss/{db,mc}/*
sudo systemctl start sssd
sudo nano /etc/ssh/sshd_config.d/[filename].conf
sudo visudo -f /etc/sudoers.d/[filename]
sudo systemctl stop sssd
sss_cache -E
rm -f /var/lib/sss/{db,mc}/*
sudo systemctl start sssd
PowerShell:
$daGroup2Add=[GroupName]
$pth="OU=OrgUnit,DC=DomainComponent,DC=DomainComponent"
New-ADGroup -Name $daGroup2Add -GroupScope Universal -GroupCategory Security -Path $pth
Add-ADGroupMember -Identity $daGroup2Add -Members [adusers]
Links:
https://docs.redhat.com/en/documentat...
https://learn.microsoft.com/en-us/pow...
https://serverfault.com/questions/617...
https://unix.stackexchange.com/questi...
https://www.digitalocean.com/communit...
