Hi,
I need to have several EL machines in an AD env. Joining the machines was easier than expected using authconfig, but what happens now is that blahdomain\blahuser gets assigned a different, random ID each time I use a different station. In AD I did specify the UID and GID in the UNIX Attributes tab for blahuser, but it gets totally ignored; so do the other values (for home, shell etc).
Ideally I'd have all the users assigned a static uid and gid from AD and have /home on all machines mounted from NFS; but right now if I log in with blahuser to another machine my $HOME is owned by another random id.
Sugesstions? What am I missing? I'm quite a noob with Windows :)
Cheers
On Tue, Mar 29, 2011 at 06:07:46PM +0100, nux@li.nux.ro wrote:
Hi,
I need to have several EL machines in an AD env. Joining the machines was easier than expected using authconfig, but what happens now is that blahdomain\blahuser gets assigned a different, random ID each time I use a different station. In AD I did specify the UID and GID in the UNIX Attributes tab for blahuser, but it gets totally ignored; so do the other values (for home, shell etc).
Ideally I'd have all the users assigned a static uid and gid from AD and have /home on all machines mounted from NFS; but right now if I log in with blahuser to another machine my $HOME is owned by another random id.
Sugesstions? What am I missing? I'm quite a noob with Windows :)
Cheers
You might try taking a look at idmap_ad(8) (and the other idmap_* man pages as well).
I'm not sure which idmap backend gets used by default (RID?). I did think idmap_rid would result in consistent UID/GID mappings based on the SID assuming you choose the same ranges on each server...
Ray
Ray Van Dolson writes:
On Tue, Mar 29, 2011 at 06:07:46PM +0100, nux@li.nux.ro wrote: You might try taking a look at idmap_ad(8) (and the other idmap_* man pages as well).
I'm not sure which idmap backend gets used by default (RID?). I did think idmap_rid would result in consistent UID/GID mappings based on the SID assuming you choose the same ranges on each server...
Ray
Ray,
Thanks for the tip. I will have a look in this whole idmap thing. AFAIK the IDs are assigned by winbind from a rather generous range, but I think it's the same range on every machine.
On Tue, Mar 29, 2011 at 06:25:06PM +0100, nux@li.nux.ro wrote:
Ray Van Dolson writes:
On Tue, Mar 29, 2011 at 06:07:46PM +0100, nux@li.nux.ro wrote: You might try taking a look at idmap_ad(8) (and the other idmap_* man pages as well).
I'm not sure which idmap backend gets used by default (RID?). I did think idmap_rid would result in consistent UID/GID mappings based on the SID assuming you choose the same ranges on each server...
Ray
Ray,
Thanks for the tip. I will have a look in this whole idmap thing. AFAIK the IDs are assigned by winbind from a rather generous range, but I think it's the same range on every machine.
FYI, idmap_tdb(8) is the default backend.
I am using it on several servers and seeing the same UID's generated on each of them (with identical idmap uid/gid configuration ranges set of course).
Ray
----- Original Message ----- | Ray Van Dolson writes: | | > On Tue, Mar 29, 2011 at 06:07:46PM +0100, nux@li.nux.ro wrote: | > You might try taking a look at idmap_ad(8) (and the other idmap_* | > man | > pages as well). | > | > I'm not sure which idmap backend gets used by default (RID?). I did | > think idmap_rid would result in consistent UID/GID mappings based on | > the SID assuming you choose the same ranges on each server... | > | > Ray | | Ray, | | Thanks for the tip. I will have a look in this whole idmap thing. | AFAIK the IDs are assigned by winbind from a rather generous range, | but I | think it's the same range on every machine.
You may also need to look at having Service For UNIX installed on Windows 2003 machines. R2 and 2008 have it included but you need to enable it. This will add another tab to the user properties where you can assign fixed UID/GIDs
James A. Peltier writes:
You may also need to look at having Service For UNIX installed on Windows 2003 machines. R2 and 2008 have it included but you need to enable it. This will add another tab to the user properties where you can assign fixed UID/GIDs
James,
Thanks, the AD is 2008 R2 and I already have said service enabled.
-- Nux! www.nux.ro
On Mar 29, 2011, at 1:18 PM, Ray Van Dolson wrote:
On Tue, Mar 29, 2011 at 06:07:46PM +0100, nux@li.nux.ro wrote:
Hi,
I need to have several EL machines in an AD env. Joining the machines was easier than expected using authconfig, but what happens now is that blahdomain\blahuser gets assigned a different, random ID each time I use a different station. In AD I did specify the UID and GID in the UNIX Attributes tab for blahuser, but it gets totally ignored; so do the other values (for home, shell etc).
Ideally I'd have all the users assigned a static uid and gid from AD and have /home on all machines mounted from NFS; but right now if I log in with blahuser to another machine my $HOME is owned by another random id.
Sugesstions? What am I missing? I'm quite a noob with Windows :)
Cheers
You might try taking a look at idmap_ad(8) (and the other idmap_* man pages as well).
I'm not sure which idmap backend gets used by default (RID?). I did think idmap_rid would result in consistent UID/GID mappings based on the SID assuming you choose the same ranges on each server...
Ray
If you use something like Centrify Express or Likewise Open, the UID/GIDs are calculated the same way every time on every system that uses the software so it makes, IMO, setup & management a lot easier.
Chris
On Tue, Mar 29, 2011 at 02:13:13PM -0400, Christopher Hearn wrote:
On Mar 29, 2011, at 1:18 PM, Ray Van Dolson wrote:
On Tue, Mar 29, 2011 at 06:07:46PM +0100, nux@li.nux.ro wrote:
Hi,
I need to have several EL machines in an AD env. Joining the machines was easier than expected using authconfig, but what happens now is that blahdomain\blahuser gets assigned a different, random ID each time I use a different station. In AD I did specify the UID and GID in the UNIX Attributes tab for blahuser, but it gets totally ignored; so do the other values (for home, shell etc).
Ideally I'd have all the users assigned a static uid and gid from AD and have /home on all machines mounted from NFS; but right now if I log in with blahuser to another machine my $HOME is owned by another random id.
Sugesstions? What am I missing? I'm quite a noob with Windows :)
Cheers
You might try taking a look at idmap_ad(8) (and the other idmap_* man pages as well).
I'm not sure which idmap backend gets used by default (RID?). I did think idmap_rid would result in consistent UID/GID mappings based on the SID assuming you choose the same ranges on each server...
Ray
If you use something like Centrify Express or Likewise Open, the UID/GIDs are calculated the same way every time on every system that uses the software so it makes, IMO, setup & management a lot easier.
Chris
I can vouch for Likewise Open just working. However, it too is based on Samba and based on the OP's information, he should be able to achieve deterministic UID/GID numbers across his system with standard OS packages only if that is his goal.
That said, if you have a variety of platforms and OS'es to support, Likewise is a great option... (never tried Centrify)
Ray
On 3/29/2011 1:29 PM, Ray Van Dolson wrote:
If you use something like Centrify Express or Likewise Open, the UID/GIDs are calculated the same way every time on every system that uses the software so it makes, IMO, setup& management a lot easier.
Chris
I can vouch for Likewise Open just working. However, it too is based on Samba and based on the OP's information, he should be able to achieve deterministic UID/GID numbers across his system with standard OS packages only if that is his goal.
That said, if you have a variety of platforms and OS'es to support, Likewise is a great option... (never tried Centrify)
Do either/both of these let you add accounts for the Linux side that don't propagate back to AD? I'd like something to use in a lab so existing users/passwords didn't take extra work but we could still add accounts that don't exist (and we don't want) in AD. Easy hooks for apache and java web services to see the combined accounts would be a big plus.
On Tue, Mar 29, 2011 at 01:37:38PM -0500, Les Mikesell wrote:
On 3/29/2011 1:29 PM, Ray Van Dolson wrote:
If you use something like Centrify Express or Likewise Open, the UID/GIDs are calculated the same way every time on every system that uses the software so it makes, IMO, setup& management a lot easier.
Chris
I can vouch for Likewise Open just working. However, it too is based on Samba and based on the OP's information, he should be able to achieve deterministic UID/GID numbers across his system with standard OS packages only if that is his goal.
That said, if you have a variety of platforms and OS'es to support, Likewise is a great option... (never tried Centrify)
Do either/both of these let you add accounts for the Linux side that don't propagate back to AD? I'd like something to use in a lab so existing users/passwords didn't take extra work but we could still add accounts that don't exist (and we don't want) in AD. Easy hooks for apache and java web services to see the combined accounts would be a big plus.
My understanding is you'd have to rely on local accounts or a second centralized authentication source (probably done via NSS not via Likewise directly).
Maybe allowing the accounts to float back to AD but somehow restricting them for Unix login use only...
(We have a long-standing project to migrate off NIS to AD-only -- preserving UID's/GID's and defining the sort of access requirements you describe is a bit of a challenge).
Ray
On 3/29/2011 2:27 PM, Ray Van Dolson wrote:
That said, if you have a variety of platforms and OS'es to support, Likewise is a great option... (never tried Centrify)
Do either/both of these let you add accounts for the Linux side that don't propagate back to AD? I'd like something to use in a lab so existing users/passwords didn't take extra work but we could still add accounts that don't exist (and we don't want) in AD. Easy hooks for apache and java web services to see the combined accounts would be a big plus.
My understanding is you'd have to rely on local accounts or a second centralized authentication source (probably done via NSS not via Likewise directly).
Maybe allowing the accounts to float back to AD but somehow restricting them for Unix login use only...
(We have a long-standing project to migrate off NIS to AD-only -- preserving UID's/GID's and defining the sort of access requirements you describe is a bit of a challenge).
I thought I had seen tools that can proxy LDAP services to multiple backends, with one of them being AD but at the time it seemed too complicated so I set up pam_smb and mod_auth_pam in apache (and set up apache to not require account info). That lets me add local accounts to a machine for the people who either need login-type services or aren't in AD and still accept passwords that are in AD. But, it has to be repeated per machine and I don't have java web services working with it. What I'd like to have is an LDAP server or even a separate AD server to manage extra users and then a proxy service that combines the logins from both sources for any number of clients. Basically I want to trust both authentication sources, but not add mine to the main AD or have it trust mine, and I want it in a way that apache, java, etc. already understand, besides being usable for login service.
Ray Van Dolson writes:
On Tue, Mar 29, 2011 at 02:13:13PM -0400, Christopher Hearn wrote:
On Mar 29, 2011, at 1:18 PM, Ray Van Dolson wrote:
On Tue, Mar 29, 2011 at 06:07:46PM +0100, nux@li.nux.ro wrote:
Hi,
I need to have several EL machines in an AD env. Joining the machines was easier than expected using authconfig, but what happens now is that blahdomain\blahuser gets assigned a different, random ID each time I use a different station. In AD I did specify the UID and GID in the UNIX Attributes tab for blahuser, but it gets totally ignored; so do the other values (for home, shell etc).
Ideally I'd have all the users assigned a static uid and gid from AD and have /home on all machines mounted from NFS; but right now if I log in with blahuser to another machine my $HOME is owned by another random id.
Sugesstions? What am I missing? I'm quite a noob with Windows :)
Cheers
You might try taking a look at idmap_ad(8) (and the other idmap_* man pages as well).
I'm not sure which idmap backend gets used by default (RID?). I did think idmap_rid would result in consistent UID/GID mappings based on the SID assuming you choose the same ranges on each server...
Ray
If you use something like Centrify Express or Likewise Open, the UID/GIDs are calculated the same way every time on every system that uses the software so it makes, IMO, setup & management a lot easier.
Chris
I can vouch for Likewise Open just working. However, it too is based on Samba and based on the OP's information, he should be able to achieve deterministic UID/GID numbers across his system with standard OS packages only if that is his goal.
That said, if you have a variety of platforms and OS'es to support, Likewise is a great option... (never tried Centrify)
Ray
Thanks for the suggestion, but already tried Likewise (on some ubuntu machine though) and didnt work for me, however for my needs authconfig does a great job and if I get the UID/GID issue solved I'm all settled. Following Adam's advice I got the GID from UNIX Attributes respected, so I'm getting closer. :-)
Thanks for all the replies!
-- Nux! www.nux.ro
On Tue, 2011-03-29 at 18:07 +0100, nux@li.nux.ro wrote:
I need to have several EL machines in an AD env. Joining the machines was easier than expected using authconfig, but what happens now is that blahdomain\blahuser gets assigned a different, random ID each time I use a different station. In AD I did specify the UID and GID in the UNIX Attributes tab for blahuser, but it gets totally ignored; so do the other values (for home, shell etc).
Do you have UNIX identity management turned on in AD?
If so I think you can -
idmap backend = ad winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind cache time = 300
Ideally I'd have all the users assigned a static uid and gid from AD and have /home on all machines mounted from NFS; but right now if I log in with blahuser to another machine my $HOME is owned by another random id. Sugesstions? What am I missing? I'm quite a noob with Windows :)
This is winbind stuff.
-
Adam Tauno Williams -
Christopher Hearn -
James A. Peltier -
Les Mikesell -
nux@li.nux.ro -
Ray Van Dolson