Hi, I'm looking to make our administration of Linux machines easier by connecting our Linux boxes to our Active Directory to use our admin user accounts from AD to log onto the Linux boxes as well.
Right now users can log into the boxes via SSH using their windows accounts through PAM. Unfortunately this allows all Windows users to log onto the boxes which is quite unneccessary.
How can I reduce the ability for Windows accounts to log onto a Linux box through Active Directory group memberships? What I'm looking for is something based on winbind, LDAP or Kerberos which allows only members of a group linuxAdmins to log onto the Linux server, su'ing locally to a root account if neccessary.
I'm looking at Debian 5 as the Linux platform right now.