Hey, if you go to Windows 2003 Active Directory, Unix attributes tab, you have a group id. How can i use this id in linux, i already authenticate my linux server to active directory, but i dont have a clue how restrict access to members via these groups, can someone give me some info about everything they know about these "group id" things.

The reason im asking im trying to build a infrastructure/hierarchy in active directory and use it in linux, but dont know how this works.

Grtz

Well how are you authenticating? The simplest "nice" solution would be ldap in which case you'd configure the ldap.conf on the client machine to map those attributes to the uid and gid you need locally. most ldap.conf files do have a template section for mapping MSSFU attributes into real UNIX ones. Once you have done this then the usage of the data become generic, just that rather than adding some user to local group number 501 (for example) you'd add them to group 12345 which just so happens to be held on AD, but at that stage that's none of your concern.

hey, yeah im using ldap for authentication, but still dont have a clue??

well, as above to be honest... configure openldap client, configure nsswitch and pam to use ldap. you've not said what distro you are using so i can't comment on any specifics...

yeah i already can authenticate(im using centos), so i add some users to active directory
200 is the admin group
100 is the normal user group
------------------------------
john group id: 200
jack group id: 100
elle group id: 100

I log them into my linux server, then what? example there is a folder /home/shares
Group 100 can read but cant change anything, and everyone from group 200 can do everything they want with the foldeR.

How do i set this up?

well a really good demarcation point is the getent tool. running "getent group" on the client will list all known groups from whatever sources it has configured, and that should then be listed. on AD you should use much higher numbers though, nothing below 10000 i'd say, so you know that and uid or gid greater than that is on Active Directory and nothing is going to clash.

Hmm dont quite get it, sorry for late reply, due to holiday. So in Active Directory i had the unix attributes shown as in the screenshot.
Click here. Only were there says Primary group name/ GID i have set it up as 666 and not as 100.
I log in with the user and do the following:
[root@localhost ~]# getent group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail
news:x:13:news
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
dip:x:40:
ftp:x:50:
lock:x:54:
nobody:x:99:
users:x:100:
dbus:x:81:
floppy:x:19:
vcsa:x:69:
rpm:x:37:
haldaemon:x:68:
utmp:x:22:
netdump:x:34:
nscd:x:28:
slocate:x:21:
sshd:x:74:
rpc:x:32:
mailnull:x:47:
smmsp:x:51:
rpcuser:x:29:
nfsnobody:x:65534:
pcap:x:77:
apache:x:48:
squid:x:23:
webalizer:x:67:
ntp:x:38:
hpsmh:x:500:

And my group 666 is not shown here, why? Do i have to create a simular group in linux first, if so how do i do this?

the groups shown are only shown if a full legitimate entry is available when the mappings in /etc/ldap.conf are applied to the AD ldap results. Also the resources queried here are the ones specified in /etc/nsswitch.conf, as often configured under redhat based systems using system-config-authentication, or configured manually by hand. so have you got the right entires in both ldap.conf and nsswitch.conf? are you happily already using a tool like ldapsearch to query the ldap services on AD?

i did everything the same, as in the following link:
http://adminspotting.net/articles/wi...Directory.html

Well I asked a number of questions you didn't answer... So at what stage do things not work? are you doing ldap searches ok? i've not seen lubnss-ldap.conf, all ldap stuff i do is generally in /etc/ldap.conf so maybe you've created config files that your system isn't reading.

oh sorry, well i use ldapsearch to look up users and such and thats works fine, i can logon to linux server with ssh with active directory credentials,if i do getent users, i get list of active directory users, indeed my config file is also in /etc/ldap.conf cause the tutorial is one for debian, i use a RHEL based distribution(centos).

The thing that doesnt work is i added a new user in active directory, i set in unix attributes, the primary group id to 666 then i try to to getent group in linux, but there isnt any group shown as 666?

So it would still be presumed that the attributes are not being fully mapped. You might like to try to cut the problem in half and use a tool like wireshark to see what is being sent on the wire... are you actually receiving the ldap results that are subsequently being dropped?

hey thx, but i can use ldapsearch perfectly, i can login just fin with active directory, i dont think this is a wire problem, cause all firewals are downn, and i also have it running in a test environment, and thats just virtual machines on Vmware running on my pc. Cause getent passwd does show all active directory users also..
So i think the problem just lies in that i dont know how to add the users in a group and use that group for building hiearchy.

yes, but you have a seperate mapping for groups to passwd entries, so you still need to ensure for each form of data as defined in nsswitch.conf that you are pulling across valid data. if you do see valid data on the getent command (not just a generic ldapsearch) then the mapping between the two really must be wrong still in /etc/ldap.conf

oh ok thx,

this is my ldap.conf
----------------------
host server.example.com
base dc=example,dc=com
ldap_version 3
binddn cn=scout,cn=Users,dc=example,dc=com
bindpw correctpasswordusedhere
scope sub
timelimit 30
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute homeDirectory unixHomeDirectory

my nsswitch.conf
-----------------

/etc/nsswitch.conf

passwd: ldap files
shadow: ldap files
group: ldap files
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus