Mapping AD groups to Linux groups - sssd and Windows server 2016
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
I have a setup with RHEL 7.4 machines that connect to Active Directory (AD) running on a Windows Server 2016 Datacenter Edition. The Linux machines are in direct integration with the AD.
Since Identity Management for Unix (IDMU) & NIS Server Role is removed from this version of Windows, the solution is to use sssd to autogenerate UID and GID numbers.
I am not able to understand how the autogenerated GID will be mapped to the actual group on the Linux machine.
For example, if user john is a member of LinuxGroup in the AD and is logged in and that should be mapped to group localgrp on the Linux machine, how will this work out? How would he get linuxgrp privileges if the autogenerated GID is 500 but localgrp GID is 10 on the Linux machine?
To have only central management of users, we are not allowed to add users directly in Linux i.e. in /etc/passwd.
Thanks.
windows active-directory sssd
edited May 28 at 7:31
U880D
401314
asked Mar 14 at 12:41
GeeKv2
134
add a comment |Â
up vote
2
down vote
favorite
I have a setup with RHEL 7.4 machines that connect to Active Directory (AD) running on a Windows Server 2016 Datacenter Edition. The Linux machines are in direct integration with the AD.
Since Identity Management for Unix (IDMU) & NIS Server Role is removed from this version of Windows, the solution is to use sssd to autogenerate UID and GID numbers.
I am not able to understand how the autogenerated GID will be mapped to the actual group on the Linux machine.
For example, if user john is a member of LinuxGroup in the AD and is logged in and that should be mapped to group localgrp on the Linux machine, how will this work out? How would he get linuxgrp privileges if the autogenerated GID is 500 but localgrp GID is 10 on the Linux machine?
To have only central management of users, we are not allowed to add users directly in Linux i.e. in /etc/passwd.
Thanks.
windows active-directory sssd
edited May 28 at 7:31
U880D
401314
asked Mar 14 at 12:41
GeeKv2
134
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I have a setup with RHEL 7.4 machines that connect to Active Directory (AD) running on a Windows Server 2016 Datacenter Edition. The Linux machines are in direct integration with the AD.
Since Identity Management for Unix (IDMU) & NIS Server Role is removed from this version of Windows, the solution is to use sssd to autogenerate UID and GID numbers.
I am not able to understand how the autogenerated GID will be mapped to the actual group on the Linux machine.
For example, if user john is a member of LinuxGroup in the AD and is logged in and that should be mapped to group localgrp on the Linux machine, how will this work out? How would he get linuxgrp privileges if the autogenerated GID is 500 but localgrp GID is 10 on the Linux machine?
To have only central management of users, we are not allowed to add users directly in Linux i.e. in /etc/passwd.
Thanks.
windows active-directory sssd
edited May 28 at 7:31
U880D
401314
asked Mar 14 at 12:41
GeeKv2
134
I have a setup with RHEL 7.4 machines that connect to Active Directory (AD) running on a Windows Server 2016 Datacenter Edition. The Linux machines are in direct integration with the AD.
Since Identity Management for Unix (IDMU) & NIS Server Role is removed from this version of Windows, the solution is to use sssd to autogenerate UID and GID numbers.
I am not able to understand how the autogenerated GID will be mapped to the actual group on the Linux machine.
For example, if user john is a member of LinuxGroup in the AD and is logged in and that should be mapped to group localgrp on the Linux machine, how will this work out? How would he get linuxgrp privileges if the autogenerated GID is 500 but localgrp GID is 10 on the Linux machine?
To have only central management of users, we are not allowed to add users directly in Linux i.e. in /etc/passwd.
Thanks.
windows active-directory sssd
edited May 28 at 7:31
U880D
401314
asked Mar 14 at 12:41
GeeKv2
134
edited May 28 at 7:31
U880D
401314
edited May 28 at 7:31
U880D
401314
edited May 28 at 7:31
U880D
401314
401314
asked Mar 14 at 12:41
GeeKv2
134
asked Mar 14 at 12:41
GeeKv2
134
asked Mar 14 at 12:41
GeeKv2
134
134
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
2
down vote
accepted
First, only the management console was removed from WS2016, but the UNIX schema is still there, I think it should still be accessible with e.g. ADSI edit. So you can still use the POSIX attributes, it's just harder to set them.
Second, the automatic ID mapping currently doesn't allow you to select any ranges manually. We're working on that upstream, but it won't be ready anytime soon and even then, you're probably not after setting a range, but rather setting the same mapping as you had before, 1:1.
So if you're going with the automatic ID mapping, you'd have to either chown the files or create per-machine overrides using the sss_override command line tool.
answered Mar 15 at 11:37
jhrozek
26111
Thanks ! I wasn't aware that the schema was still there :)
– GeeKv2
Mar 15 at 13:03
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
First, only the management console was removed from WS2016, but the UNIX schema is still there, I think it should still be accessible with e.g. ADSI edit. So you can still use the POSIX attributes, it's just harder to set them.
Second, the automatic ID mapping currently doesn't allow you to select any ranges manually. We're working on that upstream, but it won't be ready anytime soon and even then, you're probably not after setting a range, but rather setting the same mapping as you had before, 1:1.
So if you're going with the automatic ID mapping, you'd have to either chown the files or create per-machine overrides using the sss_override command line tool.
answered Mar 15 at 11:37
jhrozek
26111
Thanks ! I wasn't aware that the schema was still there :)
– GeeKv2
Mar 15 at 13:03
add a comment |Â
up vote
2
down vote
accepted
First, only the management console was removed from WS2016, but the UNIX schema is still there, I think it should still be accessible with e.g. ADSI edit. So you can still use the POSIX attributes, it's just harder to set them.
Second, the automatic ID mapping currently doesn't allow you to select any ranges manually. We're working on that upstream, but it won't be ready anytime soon and even then, you're probably not after setting a range, but rather setting the same mapping as you had before, 1:1.
So if you're going with the automatic ID mapping, you'd have to either chown the files or create per-machine overrides using the sss_override command line tool.
answered Mar 15 at 11:37
jhrozek
26111
Thanks ! I wasn't aware that the schema was still there :)
– GeeKv2
Mar 15 at 13:03
add a comment |Â
up vote
2
down vote
accepted
up vote
2
down vote
accepted
First, only the management console was removed from WS2016, but the UNIX schema is still there, I think it should still be accessible with e.g. ADSI edit. So you can still use the POSIX attributes, it's just harder to set them.
Second, the automatic ID mapping currently doesn't allow you to select any ranges manually. We're working on that upstream, but it won't be ready anytime soon and even then, you're probably not after setting a range, but rather setting the same mapping as you had before, 1:1.
So if you're going with the automatic ID mapping, you'd have to either chown the files or create per-machine overrides using the sss_override command line tool.
answered Mar 15 at 11:37
jhrozek
26111
First, only the management console was removed from WS2016, but the UNIX schema is still there, I think it should still be accessible with e.g. ADSI edit. So you can still use the POSIX attributes, it's just harder to set them.
Second, the automatic ID mapping currently doesn't allow you to select any ranges manually. We're working on that upstream, but it won't be ready anytime soon and even then, you're probably not after setting a range, but rather setting the same mapping as you had before, 1:1.
So if you're going with the automatic ID mapping, you'd have to either chown the files or create per-machine overrides using the sss_override command line tool.
answered Mar 15 at 11:37
jhrozek
26111
answered Mar 15 at 11:37
jhrozek
26111
answered Mar 15 at 11:37
jhrozek
26111
answered Mar 15 at 11:37
jhrozek
26111
26111
Thanks ! I wasn't aware that the schema was still there :)
– GeeKv2
Mar 15 at 13:03
add a comment |Â
Thanks ! I wasn't aware that the schema was still there :)
– GeeKv2
Mar 15 at 13:03
Thanks ! I wasn't aware that the schema was still there :)
– GeeKv2
Mar 15 at 13:03
Thanks ! I wasn't aware that the schema was still there :)
– GeeKv2
Mar 15 at 13:03
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f430170%2fmapping-ad-groups-to-linux-groups-sssd-and-windows-server-2016%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
