Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hey, if you go to Windows 2003 Active Directory, Unix attributes tab, you have a group id. How can i use this id in linux, i already authenticate my linux server to active directory, but i dont have a clue how restrict access to members via these groups, can someone give me some info about everything they know about these "group id" things.
The reason im asking im trying to build a infrastructure/hierarchy in active directory and use it in linux, but dont know how this works.
Well how are you authenticating? The simplest "nice" solution would be ldap in which case you'd configure the ldap.conf on the client machine to map those attributes to the uid and gid you need locally. most ldap.conf files do have a template section for mapping MSSFU attributes into real UNIX ones. Once you have done this then the usage of the data become generic, just that rather than adding some user to local group number 501 (for example) you'd add them to group 12345 which just so happens to be held on AD, but at that stage that's none of your concern.
Last edited by acid_kewpie; 04-30-2008 at 08:29 AM.
well, as above to be honest... configure openldap client, configure nsswitch and pam to use ldap. you've not said what distro you are using so i can't comment on any specifics...
yeah i already can authenticate(im using centos), so i add some users to active directory
200 is the admin group
100 is the normal user group
------------------------------
john group id: 200
jack group id: 100
elle group id: 100
I log them into my linux server, then what? example there is a folder /home/shares
Group 100 can read but cant change anything, and everyone from group 200 can do everything they want with the foldeR.
well a really good demarcation point is the getent tool. running "getent group" on the client will list all known groups from whatever sources it has configured, and that should then be listed. on AD you should use much higher numbers though, nothing below 10000 i'd say, so you know that and uid or gid greater than that is on Active Directory and nothing is going to clash.
Hmm dont quite get it, sorry for late reply, due to holiday. So in Active Directory i had the unix attributes shown as in the screenshot. Click here. Only were there says Primary group name/ GID i have set it up as 666 and not as 100.
I log in with the user and do the following:
[root@localhost ~]# getent group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail
news:x:13:news
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
dip:x:40:
ftp:x:50:
lock:x:54:
nobody:x:99:
users:x:100:
dbus:x:81:
floppy:x:19:
vcsa:x:69:
rpm:x:37:
haldaemon:x:68:
utmp:x:22:
netdump:x:34:
nscd:x:28:
slocate:x:21:
sshd:x:74:
rpc:x:32:
mailnull:x:47:
smmsp:x:51:
rpcuser:x:29:
nfsnobody:x:65534:
pcap:x:77:
apache:x:48:
squid:x:23:
webalizer:x:67:
ntp:x:38:
hpsmh:x:500:
And my group 666 is not shown here, why? Do i have to create a simular group in linux first, if so how do i do this?
the groups shown are only shown if a full legitimate entry is available when the mappings in /etc/ldap.conf are applied to the AD ldap results. Also the resources queried here are the ones specified in /etc/nsswitch.conf, as often configured under redhat based systems using system-config-authentication, or configured manually by hand. so have you got the right entires in both ldap.conf and nsswitch.conf? are you happily already using a tool like ldapsearch to query the ldap services on AD?
Well I asked a number of questions you didn't answer... So at what stage do things not work? are you doing ldap searches ok? i've not seen lubnss-ldap.conf, all ldap stuff i do is generally in /etc/ldap.conf so maybe you've created config files that your system isn't reading.
Well I asked a number of questions you didn't answer... So at what stage do things not work? are you doing ldap searches ok? i've not seen lubnss-ldap.conf, all ldap stuff i do is generally in /etc/ldap.conf so maybe you've created config files that your system isn't reading.
oh sorry, well i use ldapsearch to look up users and such and thats works fine, i can logon to linux server with ssh with active directory credentials,if i do getent users, i get list of active directory users, indeed my config file is also in /etc/ldap.conf cause the tutorial is one for debian, i use a RHEL based distribution(centos).
The thing that doesnt work is i added a new user in active directory, i set in unix attributes, the primary group id to 666 then i try to to getent group in linux, but there isnt any group shown as 666?
Last edited by zerocool22; 05-05-2008 at 04:27 AM.
So it would still be presumed that the attributes are not being fully mapped. You might like to try to cut the problem in half and use a tool like wireshark to see what is being sent on the wire... are you actually receiving the ldap results that are subsequently being dropped?
hey thx, but i can use ldapsearch perfectly, i can login just fin with active directory, i dont think this is a wire problem, cause all firewals are downn, and i also have it running in a test environment, and thats just virtual machines on Vmware running on my pc. Cause getent passwd does show all active directory users also..
So i think the problem just lies in that i dont know how to add the users in a group and use that group for building hiearchy.
yes, but you have a seperate mapping for groups to passwd entries, so you still need to ensure for each form of data as defined in nsswitch.conf that you are pulling across valid data. if you do see valid data on the getent command (not just a generic ldapsearch) then the mapping between the two really must be wrong still in /etc/ldap.conf
this is my ldap.conf
----------------------
host server.example.com
base dc=example,dc=com
ldap_version 3
binddn cn=scout,cn=Users,dc=example,dc=com
bindpw correctpasswordusedhere
scope sub
timelimit 30
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute homeDirectory unixHomeDirectory
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.