Hi, to preserve compatibility, I'd like to map the AD users' default group to a local Linux group. I don't want to add every AD user to the row in /etc/group and I don't want to change default primary group of users in AD.
Is there a group mapping function in SSSD? Or am I completely wrong?
Thanks in advance -- Domenico Viggiani
On (30/07/15 11:11), Domenico Viggiani wrote:
Hi, to preserve compatibility, I'd like to map the AD users' default group to a local Linux group.
Mixing local groups with LDAP groups is not supported by sssd. BTW do you use POSIX attributes from AD or do you use ID mapping?
In case of ID mapping we generate group for user. It has the same GID as use UID.
I don't want to add every AD user to the row in /etc/group and I don't want to change default primary group of users in AD.
Is there a group mapping function in SSSD? Or am I completely wrong?
What is your use case or what do you want to achieve?
LS
to preserve compatibility, I'd like to map the AD users' default group to a local Linux group.
Mixing local groups with LDAP groups is not supported by sssd. BTW do you use POSIX attributes from AD or do you use ID mapping?
We use ID mapping (even if we already have POSIX extended attributes in AD and some day in the future this could change)
In case of ID mapping we generate group for user. It has the same GID as use UID.
OK
I don't want to add every AD user to the row in /etc/group and I don't want to change default primary group of users in AD.
Is there a group mapping function in SSSD? Or am I completely wrong?
What is your use case or what do you want to achieve?
We have some local, applicative users, living in various dirs under /home but developers are allowed to access the server by SSH/SCP only using personal AD credentials. Then they want to be able to modify files freely without "su"-ing to applicative user. Applicative dirs already have local group permissions that I cannot change; if I could put AD users in this groups, not one by one but mapping local group to existing AD security group, it would be great!
Am I wrong?
Thanks again --
On Thu, Jul 30, 2015 at 12:27:00PM +0200, Domenico Viggiani wrote:
to preserve compatibility, I'd like to map the AD users' default group to a local Linux group.
Mixing local groups with LDAP groups is not supported by sssd. BTW do you use POSIX attributes from AD or do you use ID mapping?
We use ID mapping (even if we already have POSIX extended attributes in AD and some day in the future this could change)
In case of ID mapping we generate group for user. It has the same GID as use UID.
OK
I don't want to add every AD user to the row in /etc/group and I don't want to change default primary group of users in AD.
Is there a group mapping function in SSSD? Or am I completely wrong?
What is your use case or what do you want to achieve?
We have some local, applicative users, living in various dirs under /home but developers are allowed to access the server by SSH/SCP only using personal AD credentials. Then they want to be able to modify files freely without "su"-ing to applicative user. Applicative dirs already have local group permissions that I cannot change; if I could put AD users in this groups, not one by one but mapping local group to existing AD security group, it would be great!
You can put any centralized account into a local group, but you need to do it on all clients. I have an LDAP account "jhrozek" that is a member of local group mock:
$ grep mock /etc/group mock:x:135:jhrozek
You can put any centralized account into a local group, but you need to do it on all clients. I have an LDAP account "jhrozek" that is a member of local group mock:
$ grep mock /etc/group mock:x:135:jhrozek
OK, I know but I'd like to avoid to insert AD developers' account in the local group one by one :(
Thanks again --
On 07/30/2015 07:42 AM, Domenico Viggiani wrote:
You can put any centralized account into a local group, but you need to do it on all clients. I have an LDAP account "jhrozek" that is a member of local group mock:
$ grep mock /etc/group mock:x:135:jhrozek
OK, I know but I'd like to avoid to insert AD developers' account in the local group one by one :(
Thanks again
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
i have a setup that allows me to centrally manage local groups. maybe it can help here.
because i am using RFC2307bis in openldap, which windows AD supports, i can have groupOfNames groups with an additional objectClass of posixGroup.
i installed the migrationtools package, so i could use the scripts to create the posix user, group, etc info in ldap. it took some minor modifications to the scripts to output the data in ldif format according to my DIT hierarchy. i then ran the script and imported the ldif. i now have all the posix info in my DIT.
by adding the posixAccount objectClass to my user object in ldap, which has the inetOrgPerson structural objectClass, i can add uid/gid values to the object. if i add my user object to one of the groupOfNames groups that has the additional posixAccount objectClass, i can see my id in that group when i log into a box and run "id".
using sssd, and configuring /etc/nsswitch.conf to point to sss for group, as primary and files as secondary, i get to use the centrally managed local groups on all of my hosts. i make one change and all devices get the update (upon logout and then login). nsswitch.conf points passwd, shadow, sudoers, netgroup, and automount to files as primary and sss as secondary. i made sure to leave passwd as files first, so that root is always local, and can login should the network or directory not be available.
sssd-users@lists.fedorahosted.org
-
Brendan Kearney -
Domenico Viggiani -
Jakub Hrozek -
Lukas Slebodnik