As a follow-up to the discussion below, I have written a utility that synthesizes passwd(5) or group(5) entries from LDIF data, mimicking the entries that sssd produces when sssd is configured to auto-map uid/gid values from the Windows objectSid. It’s available here:
https://github.com/qralston/genent
It works for us in our environment; hopefully others will find it useful as well.
This is the initial release, so it may be buggy. Feedback, pull requests, issues, et. al. are all welcome; please consult the TODO.md file.
On Fri, Oct 25, 2019 at 8:11 PM James Ralston ralston@pobox.com wrote:
On Wed, Oct 16, 2019 at 6:17 PM Jeff Thornsen jthornsen@gmail.com wrote:
The reason I ask is because I use a bunch of storage appliances that offer Secure-NFS (NETAPP, EMC UNITY, etc.), but they only support NIS, IDMU, RFC2307, and RFC2307bis style Identity Mapping, all of which require manual assignment of UID/GID numbers to objects in LDAP, which is untenable for large environments. Microsoft even removed Unix Attribute editor from their LDAP GUI for the RFC2307 attributes in Windows Server 2016 to push people away from using rfc2307.
[We're] working on a utility that will read an LDIF dump, and at the cost of a single getgrnam('domain users') call (to determine sssd's offset), will output either a passwd(5) or group(5) file in the same format that sssd would generate, at O(1) cost. Then we will serve up these synthesized passwd/group files for our storage appliance's consumption. It's Rube-Goldberg-esque, but it's the best we can do until our storage appliance vendor finally implements uid/gid auto-mapping from the objectSID.