the most formal way would be to ensure that that user has a valid uid and gid in activedirectory. these details are retreived as part of the query when logging in via pam with ldap support. that user then just appears to be local. i'm not best placed to give exact details of the best way to implement this i'm afraid, but i can say a few other things. there is a layer of abstraction between /etc/passwd, /etc/group and co, from what users are known to a system. this is defined via /etc/nsswitch.conf you'll see in there entries for shadow, passwd and group, and the ways in which those sets of resources are to be found - files, nis, ldap etc... you need to get to a stage where you can run "getent passwd" and such and see the accounts from AD as an output. that data there is just pulling directly on what programs like login itself use for a user base, they don't directly look at local config files at all. so when you have that list and a valid entry for each, including the gid and uid etc... then impliclty they then own any files matching that uid and gid.
if you have access to the AD implementation, or the ear of someone that does, look into installing the MS SFU AD extensions. this will add official fields for the attributes you need, but it is possible to fudge them with existing unused variables to some extent.
HTH
|