Hello, I want my domain users to be able to connect to our linux servers using their AD username through LDAP. I am using nslcd and pam_ldap to do so, but I am having some hard time trying to figure out why the GID is not working properly. # getent passwd Guilherme Guilherme:*:10000:*513*:Guilherme:/home/Guilherme:/bin/bash # getent group|grep 513 # id Guilherme uid=10000(Guilherme) gid=513 grupos=513,10001(it),10000(Domain Users) /etc/nslcd.conf: (bind not included) filter passwd (objectClass=user) filter group (objectClass=group) map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName map passwd gidNumber primaryGroupID map group uniqueMember member I know that 513 should mean "Domain Users" from ADUC. However, "Domain Users" has the "UNIX Attributes" configuration of GID=10000. # getent group|grep 10000 Domain Users:*:10000: Should I change the UNIX Attributes ID of Domain Users to 513 ? What am I doing wrong ? Thanks
On 21/08/15 20:08, Guilherme Boing wrote:> Hello, > > I want my domain users to be able to connect to our linux servers using > their AD username through LDAP.What do you mean 'through LDAP' ?> > I am using nslcd and pam_ldap to do so, but I am having some hard time > trying to figure out why the GID is not working properly. > > # getent passwd Guilherme > Guilherme:*:10000:*513*:Guilherme:/home/Guilherme:/bin/bash > > # getent group|grep 513 > > # id Guilherme > uid=10000(Guilherme) gid=513 grupos=513,10001(it),10000(Domain Users) > > /etc/nslcd.conf: (bind not included) > filter passwd (objectClass=user) > filter group (objectClass=group) > > map passwd uid sAMAccountName > map passwd homeDirectory unixHomeDirectory > map passwd gecos displayName > map passwd gidNumber primaryGroupID > map group uniqueMember member > > I know that 513 should mean "Domain Users" from ADUC. However, "Domain > Users" has the "UNIX Attributes" configuration of GID=10000.How do you 'know' 513 should mean "Domain Users" ? 513 is the RID of "Domain Users" and by your own admission "Domain Users" has the gidNumber of 10000 RID does not necessarily equal gidNumber> > # getent group|grep 10000 > Domain Users:*:10000: > > Should I change the UNIX Attributes ID of Domain Users to 513 ? > What am I doing wrong ? > > ThanksYou can if you so wish, but you will need to 'chgrp' anything stored on Unix owned by the "Domain Users" group. Rowland
Hey, By "through LDAP" I meant that our linux servers would look for the users using pam_ldap. Anyway, I was able to "fix" this by mapping gidNumber to gidNumber instead of primaryGroupID on nslcd.conf. $ id uid=10000(Guilherme) gid=10001(it) grupos=10001(it) On Fri, Aug 21, 2015 at 4:28 PM, Rowland Penny <rowlandpenny241155 at gmail.com> wrote:> On 21/08/15 20:08, Guilherme Boing wrote: > >> Hello, >> >> I want my domain users to be able to connect to our linux servers using >> their AD username through LDAP. >> > > What do you mean 'through LDAP' ? > > >> I am using nslcd and pam_ldap to do so, but I am having some hard time >> trying to figure out why the GID is not working properly. >> >> # getent passwd Guilherme >> Guilherme:*:10000:*513*:Guilherme:/home/Guilherme:/bin/bash >> >> # getent group|grep 513 >> >> # id Guilherme >> uid=10000(Guilherme) gid=513 grupos=513,10001(it),10000(Domain Users) >> >> /etc/nslcd.conf: (bind not included) >> filter passwd (objectClass=user) >> filter group (objectClass=group) >> >> map passwd uid sAMAccountName >> map passwd homeDirectory unixHomeDirectory >> map passwd gecos displayName >> map passwd gidNumber primaryGroupID >> map group uniqueMember member >> >> I know that 513 should mean "Domain Users" from ADUC. However, "Domain >> Users" has the "UNIX Attributes" configuration of GID=10000. >> > > How do you 'know' 513 should mean "Domain Users" ? > 513 is the RID of "Domain Users" and by your own admission "Domain Users" > has the gidNumber of 10000 > RID does not necessarily equal gidNumber > > >> # getent group|grep 10000 >> Domain Users:*:10000: >> >> Should I change the UNIX Attributes ID of Domain Users to 513 ? >> What am I doing wrong ? >> >> Thanks >> > > You can if you so wish, but you will need to 'chgrp' anything stored on > Unix owned by the "Domain Users" group. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >