On Thu, Nov 01, 2018 at 04:51:59PM -0400, John Cunningham wrote:
I'm trying to set up a laptop that users can use for remote access to a Windows Active Directory Domain, and would appreciate some guidance in the right direction. It looks pretty straightforward to get a Debian computer to authenticate with AD. But I can't get my head around the remote access part. In order to connect they would have to log in, and then connect via our VPN. But if they need to authenticate with AD, how do they log in? Even windows isn't great with this, and it's their screwy system. If a new user just grabs a windows laptop and tries to log in at a remote location, it will fail. They have to log in onsite first to get their credentials cached, and then they will be able to log in remotely. Setting up something like this in Debian would be great. Any ideas?
I've never done this myself, but I think via sssd it's possible to cache credentials from the AD in some fashion, so after one successful login on-site, future logins off-site can be validated against a cached credential, until some expiry time when one would need to refresh the cache by logging in on-site again. -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland ⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net ⠈⠳⣄⠀⠀⠀⠀ Please do not CC me, I am subscribed to the list.
