Mapping AD groups to Linux groups - sssd and Windows server 2016

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite
2












I have a setup with RHEL 7.4 machines that connect to Active Directory (AD) running on a Windows Server 2016 Datacenter Edition. The Linux machines are in direct integration with the AD.



Since Identity Management for Unix (IDMU) & NIS Server Role is removed from this version of Windows, the solution is to use sssd to autogenerate UID and GID numbers.



I am not able to understand how the autogenerated GID will be mapped to the actual group on the Linux machine.



For example, if user john is a member of LinuxGroup in the AD and is logged in and that should be mapped to group localgrp on the Linux machine, how will this work out? How would he get linuxgrp privileges if the autogenerated GID is 500 but localgrp GID is 10 on the Linux machine?



To have only central management of users, we are not allowed to add users directly in Linux i.e. in /etc/passwd.



Thanks.







share|improve this question


























    up vote
    2
    down vote

    favorite
    2












    I have a setup with RHEL 7.4 machines that connect to Active Directory (AD) running on a Windows Server 2016 Datacenter Edition. The Linux machines are in direct integration with the AD.



    Since Identity Management for Unix (IDMU) & NIS Server Role is removed from this version of Windows, the solution is to use sssd to autogenerate UID and GID numbers.



    I am not able to understand how the autogenerated GID will be mapped to the actual group on the Linux machine.



    For example, if user john is a member of LinuxGroup in the AD and is logged in and that should be mapped to group localgrp on the Linux machine, how will this work out? How would he get linuxgrp privileges if the autogenerated GID is 500 but localgrp GID is 10 on the Linux machine?



    To have only central management of users, we are not allowed to add users directly in Linux i.e. in /etc/passwd.



    Thanks.







    share|improve this question
























      up vote
      2
      down vote

      favorite
      2









      up vote
      2
      down vote

      favorite
      2






      2





      I have a setup with RHEL 7.4 machines that connect to Active Directory (AD) running on a Windows Server 2016 Datacenter Edition. The Linux machines are in direct integration with the AD.



      Since Identity Management for Unix (IDMU) & NIS Server Role is removed from this version of Windows, the solution is to use sssd to autogenerate UID and GID numbers.



      I am not able to understand how the autogenerated GID will be mapped to the actual group on the Linux machine.



      For example, if user john is a member of LinuxGroup in the AD and is logged in and that should be mapped to group localgrp on the Linux machine, how will this work out? How would he get linuxgrp privileges if the autogenerated GID is 500 but localgrp GID is 10 on the Linux machine?



      To have only central management of users, we are not allowed to add users directly in Linux i.e. in /etc/passwd.



      Thanks.







      share|improve this question














      I have a setup with RHEL 7.4 machines that connect to Active Directory (AD) running on a Windows Server 2016 Datacenter Edition. The Linux machines are in direct integration with the AD.



      Since Identity Management for Unix (IDMU) & NIS Server Role is removed from this version of Windows, the solution is to use sssd to autogenerate UID and GID numbers.



      I am not able to understand how the autogenerated GID will be mapped to the actual group on the Linux machine.



      For example, if user john is a member of LinuxGroup in the AD and is logged in and that should be mapped to group localgrp on the Linux machine, how will this work out? How would he get linuxgrp privileges if the autogenerated GID is 500 but localgrp GID is 10 on the Linux machine?



      To have only central management of users, we are not allowed to add users directly in Linux i.e. in /etc/passwd.



      Thanks.









      share|improve this question













      share|improve this question




      share|improve this question








      edited May 28 at 7:31









      U880D

      401314




      401314










      asked Mar 14 at 12:41









      GeeKv2

      134




      134




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          2
          down vote



          accepted










          First, only the management console was removed from WS2016, but the UNIX schema is still there, I think it should still be accessible with e.g. ADSI edit. So you can still use the POSIX attributes, it's just harder to set them.



          Second, the automatic ID mapping currently doesn't allow you to select any ranges manually. We're working on that upstream, but it won't be ready anytime soon and even then, you're probably not after setting a range, but rather setting the same mapping as you had before, 1:1.



          So if you're going with the automatic ID mapping, you'd have to either chown the files or create per-machine overrides using the sss_override command line tool.






          share|improve this answer




















          • Thanks ! I wasn't aware that the schema was still there :)
            – GeeKv2
            Mar 15 at 13:03










          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );








           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f430170%2fmapping-ad-groups-to-linux-groups-sssd-and-windows-server-2016%23new-answer', 'question_page');

          );

          Post as a guest






























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          2
          down vote



          accepted










          First, only the management console was removed from WS2016, but the UNIX schema is still there, I think it should still be accessible with e.g. ADSI edit. So you can still use the POSIX attributes, it's just harder to set them.



          Second, the automatic ID mapping currently doesn't allow you to select any ranges manually. We're working on that upstream, but it won't be ready anytime soon and even then, you're probably not after setting a range, but rather setting the same mapping as you had before, 1:1.



          So if you're going with the automatic ID mapping, you'd have to either chown the files or create per-machine overrides using the sss_override command line tool.






          share|improve this answer




















          • Thanks ! I wasn't aware that the schema was still there :)
            – GeeKv2
            Mar 15 at 13:03














          up vote
          2
          down vote



          accepted










          First, only the management console was removed from WS2016, but the UNIX schema is still there, I think it should still be accessible with e.g. ADSI edit. So you can still use the POSIX attributes, it's just harder to set them.



          Second, the automatic ID mapping currently doesn't allow you to select any ranges manually. We're working on that upstream, but it won't be ready anytime soon and even then, you're probably not after setting a range, but rather setting the same mapping as you had before, 1:1.



          So if you're going with the automatic ID mapping, you'd have to either chown the files or create per-machine overrides using the sss_override command line tool.






          share|improve this answer




















          • Thanks ! I wasn't aware that the schema was still there :)
            – GeeKv2
            Mar 15 at 13:03












          up vote
          2
          down vote



          accepted







          up vote
          2
          down vote



          accepted






          First, only the management console was removed from WS2016, but the UNIX schema is still there, I think it should still be accessible with e.g. ADSI edit. So you can still use the POSIX attributes, it's just harder to set them.



          Second, the automatic ID mapping currently doesn't allow you to select any ranges manually. We're working on that upstream, but it won't be ready anytime soon and even then, you're probably not after setting a range, but rather setting the same mapping as you had before, 1:1.



          So if you're going with the automatic ID mapping, you'd have to either chown the files or create per-machine overrides using the sss_override command line tool.






          share|improve this answer












          First, only the management console was removed from WS2016, but the UNIX schema is still there, I think it should still be accessible with e.g. ADSI edit. So you can still use the POSIX attributes, it's just harder to set them.



          Second, the automatic ID mapping currently doesn't allow you to select any ranges manually. We're working on that upstream, but it won't be ready anytime soon and even then, you're probably not after setting a range, but rather setting the same mapping as you had before, 1:1.



          So if you're going with the automatic ID mapping, you'd have to either chown the files or create per-machine overrides using the sss_override command line tool.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Mar 15 at 11:37









          jhrozek

          26111




          26111











          • Thanks ! I wasn't aware that the schema was still there :)
            – GeeKv2
            Mar 15 at 13:03
















          • Thanks ! I wasn't aware that the schema was still there :)
            – GeeKv2
            Mar 15 at 13:03















          Thanks ! I wasn't aware that the schema was still there :)
          – GeeKv2
          Mar 15 at 13:03




          Thanks ! I wasn't aware that the schema was still there :)
          – GeeKv2
          Mar 15 at 13:03












           

          draft saved


          draft discarded


























           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f430170%2fmapping-ad-groups-to-linux-groups-sssd-and-windows-server-2016%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?