-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Kent West wrote: > Probably not the best place to put this information, but I figure here > is better than no where... > > I'm tinkering with authentication a Debian (10.1) box via Active > Directory, so that an AD user can log into the Debian box. > > [...] > > The result is that if I have a local account that belongs to a > completely different person than a person with a domain account of the > same name, the domain account person, upon login, becomes the local > account person, with full access as that person. > > Advice? Suggestions? Questions? >
Last time I did central logins like that, I used openLDAP, so it may not be the same process. But as I recall, you had to change one of the PAM modules (possibly more than one) such that it prefers ldap (AD, whatever) over the local /etc/passwd file. Additionally, I seem to recall some caveat of the "same username" not gracefully allowing you to "select"; so I just ended up having a secondary 'me_local' account that wasn't part of the LDAP setup. It's been a few years (and a new job) since, so I might not have the notes anymore (The general info is usually something I hang onto, but the "basics of ldap" notes aren't immediately forthcoming). -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEBcqaUD8uEzVNxUrujhHd8xJ5ooEFAl3FrLUACgkQjhHd8xJ5 ooEOuggArD62bnF0vuIBfbvmvu8IbomBs0eUBN+YqA8iusNMA6KF+0YboWeNmK6z yzlcNb8PArKx4ca5olV3gV6zOa4lO73onW9BBq4tcajgW7mgllsLgDeWBlD4HeER xg1O5m9TCJlmgnWLWdW15tr6hQk8STASm7R8/LGBWOq3AGVE21dQBnkC7sdxu514 6b5EgMDBdgiCFuKXogkZL/EbdWMNYvGe1rQao1yCAeln9+NDasYp2A+KAZ76XEnT rPgjYol4JIO3O7Be+X0XsTy6ssSpNd2w5IuKfpGev5wfxtrj4tR+NkxxEwUHz38H +9nN6awXwtdywR6XmU+IucWRua7/Wg== =9it9 -----END PGP SIGNATURE----- -- |_|O|_| |_|_|O| Github: https://github.com/dpurgert |O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281
