On 08/02/2014 04:54 AM, swaite wrote:
> Not an issue so much as running something 24x7 as root, but rather
> ability to manage accounts and access centrally. In other words I dont
> want have go to say 10 or 20 machines and change each password for given
> account, but rather do so centrally. Or have ability for example to add
> apache user account to a given group, have change made across all
> servers at once.

Of course, and this is what directory integration is all about, and should
work already.

> I can tell you that NetIQ is not solution for us, simple matter of
> budget. So can I assume if we changed authentication from Samba to
> anything else, be same?

It may be worthwhile to talk about some philosophy behind security just in
case it has not come up before, as you already mentioned authentication.
Authentication via a directory is simple, and that is what Samba
integration gives you. Having groups in the directory also Posix-enabled
should mean that the same groups can show up on the *nix systems linked to
their respective users who are on that same *nix system. That's what a
directory gives you; lots of automated, simple, centralized
authentication. Hooray!

What you are asking about is not authentication, but authorization. That
you can login meas you can authenticate; what you do from there is all
about authorization and is another issue entirely. Are you authorized to
start/stop services? Normally that kind of thing is granted to the user
that started the service (a service account as which nobody would ever
authenticate since it's a service account, or maybe 'root' which implies
complete control given to somebody who can become 'root', etc.) or else is
delegated using things like 'sudo' and 'PUM' or similar technologies.

If you want to authorize something centralized, merely authenticating to
any source of authentication information will not get you there. For the
free option, 'sudo' is probably your best bet since you can configure sudo
to get its configuration data from a directory.

Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...