LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 09-14-2009, 08:56 AM   #1
Uday123
Member
 
Registered: Nov 2005
Posts: 80

Rep: Reputation: 15
Adding AD user to a Local Primary Group?


Hi,

My RHL machine is integrated with Active Directory.

By default my AD user primary group is "Domain Users" but I would like to change that to a local Linux group. Somehow usermod command is not allowing to make tle Local Linux group as primary group for ADuser.

# usermod -g localprimarygrp ad_service_account
usermod: ad_service_account not found in /etc/passwd

But "getent passwd" listing all my AD user list with proper UID,GID,HomeDir,defaultshell (considering the entries r present in /etc/passwd).

So how can I add my AD user to a local primary group without editing(adding) any entries in /etc/passwd.

Thanks in advance.
 
Old 09-14-2009, 09:43 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,379

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
either set the users gid in AD to the relevant gid of the group you want (to make it its primary group) or add the user to the local group in /etc/group. I think the latter should work to be an additional member, not 100% sure though.
 
Old 09-14-2009, 09:55 AM   #3
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
This is a very tough one. First of all you'll have to use kerberos authentication or AD will not allow authentication and authorization. You'll have to use nscd for caching accounts also. Last you are going to have to modify ldap.conf to map posix attributes with the ldap attributes that you add to AD (you can do that using Unix Services for Windows). You can also use samba winbind if you are going to create shares between your linux and windows servers. Last modify PAM modules in order to create authentication permissions. It took me a while to do this but it can be done.
 
Old 09-14-2009, 10:13 AM   #4
Uday123
Member
 
Registered: Nov 2005
Posts: 80

Original Poster
Rep: Reputation: 15
Thanks ramram29, acid_kewpie.

I am using samba+winbind for AD integration. Right now I am able to login with AD users without any issues. but for one of my requirement the AD user should be part of a primary group. While installing software with AD user, the folder structure is owned by <ad user>:<default ad group>. But I want <ad user>:<local group>. That is possible only if we can make the local group as a primary group for AD user. How can we do this?

Thanks in advance.
 
Old 09-14-2009, 03:13 PM   #5
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,379

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
As I already said, can't you just set it within AD?
 
Old 09-14-2009, 03:31 PM   #6
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
Quote:
Originally Posted by Uday123 View Post
While installing software with AD user, the folder structure is owned by <ad user>:<default ad group>. But I want <ad user>:<local group>. That is possible only if we can make the local group as a primary group for AD user. How can we do this?
One way is to set the sticky bit so that the directories and subdirectories get the same group ownership.

chown localgroup /home/share
chmod 2775 /home/share

From then on every subdirectory will get the localgroup group owership.

The other solution would be to give the AD group the same gidnumber as the localgroup then assign that as the default group to the users. but I don't like doing this cause it can become confusing.
 
Old 09-14-2009, 03:38 PM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,379

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
I'm missing something, or you are really over thinking this one... should be real simple the way I read it, and certainly not a "very tough one".
 
Old 09-15-2009, 05:55 AM   #8
Uday123
Member
 
Registered: Nov 2005
Posts: 80

Original Poster
Rep: Reputation: 15
Thanks a lot for your replies.

This is what I am planning to do. Kindly review.
1. Create a ADgroup and make it as primary group for our ADuser.
2. findout the GID number of ADgroup. (id ADuser - will list the UID,GID numbers)
3. Replace the GID number of localgroup with ADgroup GID number.

Now the ADuser is a member of localgroup (i.e primary group).
 
Old 09-15-2009, 07:41 AM   #9
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,379

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
no. just create a local group and take it's gid number, and insert it into the AD user account details.
 
Old 09-15-2009, 04:56 PM   #10
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
Uday, you're on the right track. What you can do is create an AD group and assign its gidNumber value to be the same as the gidNumber of the localgroup. For example if your new Linux group is called myusers(1001) then create an AD group called myusers and make sure it's gidNumber value is set to 1001. The attribute for the gidNumber can be called anything, then you'll have to map the attribute with the POSIX nss_map_attribute equivalent in your ldap.conf file. I prefer to call it simply gidNumber.
 
Old 02-24-2011, 02:55 PM   #11
jstalewski
LQ Newbie
 
Registered: May 2006
Posts: 4

Rep: Reputation: 0
For those that are reading this thread because you are having trouble getting Samba to use the primary GID you have set in AD, this is why:

The problem is that the idmap ad / idmap config <domain>: ad function in combination with either the schemamode = SFU or schemamode = rfc2307 and winbind nss info = rfc2307 or sfu, after Samba 3.3, no longer use the relevant gid for primary GID but default to the Windows primaryGroupID attribute, contrary to either schemas, so that populating the primary group attribute in AD (gidNumber) does not properly enumerate using getent passwd. It does enumerate using getent passwd <username> so it is inconsistent in that fashion.

idmap ad with schemamode rfc2307 in Samba 3 between 3.0.something and 3.3.0 worked as expected, where the primary gid enumerated by getent passwd would be the value of gidNumber. They changed idmap radically with 3.3 including the "feature" which I consider a bug, of using the Windows AD attribute primaryGroupID instead of the rfc2307 schema attribute gidNumber. They have for unknown reasons (because I can't find any wiki, blog, or mailing list entries that explain their thought processes) chosen to keep that bizarre default.

I wish they would at least allow an override, to allow the unix primary gid to be gleaned from the rfc2307 gidNumber attribute as it used to be, and still should be. It is preventing me from upgrading Samba.
 
Old 05-23-2011, 03:06 PM   #12
mariochamorro
LQ Newbie
 
Registered: May 2008
Posts: 3

Rep: Reputation: 0
useful newgrp / sg command

While not a way to bend Samba into shape , I think it's worthwhile to mention that the 'newgrp' and 'sg' commands will reset the user's primary group after the initial login . This creates the same effect as configuring that within Samba / Winbind .

[~] sg --help
Usage: sg group [[-c] command]

[~] newgrp --help
Usage: newgrp [-] [group]

[~]
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
adding user to group ryancoolest Linux - Newbie 9 04-14-2008 12:50 PM
adding a user to a group ekdya Debian 5 09-16-2006 01:51 PM
Adding user to a group onjoo Linux - Newbie 1 03-05-2006 06:23 AM
after adding user to group peter72 Linux - General 2 08-01-2005 10:17 AM
adding user to a group Chilipepa Linux - Newbie 2 09-27-2003 11:08 AM


All times are GMT -5. The time now is 03:56 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration