Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
My RHL machine is integrated with Active Directory.
By default my AD user primary group is "Domain Users" but I would like to change that to a local Linux group. Somehow usermod command is not allowing to make tle Local Linux group as primary group for ADuser.
# usermod -g localprimarygrp ad_service_account
usermod: ad_service_account not found in /etc/passwd
But "getent passwd" listing all my AD user list with proper UID,GID,HomeDir,defaultshell (considering the entries r present in /etc/passwd).
So how can I add my AD user to a local primary group without editing(adding) any entries in /etc/passwd.
either set the users gid in AD to the relevant gid of the group you want (to make it its primary group) or add the user to the local group in /etc/group. I think the latter should work to be an additional member, not 100% sure though.
This is a very tough one. First of all you'll have to use kerberos authentication or AD will not allow authentication and authorization. You'll have to use nscd for caching accounts also. Last you are going to have to modify ldap.conf to map posix attributes with the ldap attributes that you add to AD (you can do that using Unix Services for Windows). You can also use samba winbind if you are going to create shares between your linux and windows servers. Last modify PAM modules in order to create authentication permissions. It took me a while to do this but it can be done.
I am using samba+winbind for AD integration. Right now I am able to login with AD users without any issues. but for one of my requirement the AD user should be part of a primary group. While installing software with AD user, the folder structure is owned by <ad user>:<default ad group>. But I want <ad user>:<local group>. That is possible only if we can make the local group as a primary group for AD user. How can we do this?
While installing software with AD user, the folder structure is owned by <ad user>:<default ad group>. But I want <ad user>:<local group>. That is possible only if we can make the local group as a primary group for AD user. How can we do this?
One way is to set the sticky bit so that the directories and subdirectories get the same group ownership.
From then on every subdirectory will get the localgroup group owership.
The other solution would be to give the AD group the same gidnumber as the localgroup then assign that as the default group to the users. but I don't like doing this cause it can become confusing.
This is what I am planning to do. Kindly review.
1. Create a ADgroup and make it as primary group for our ADuser.
2. findout the GID number of ADgroup. (id ADuser - will list the UID,GID numbers)
3. Replace the GID number of localgroup with ADgroup GID number.
Now the ADuser is a member of localgroup (i.e primary group).
Uday, you're on the right track. What you can do is create an AD group and assign its gidNumber value to be the same as the gidNumber of the localgroup. For example if your new Linux group is called myusers(1001) then create an AD group called myusers and make sure it's gidNumber value is set to 1001. The attribute for the gidNumber can be called anything, then you'll have to map the attribute with the POSIX nss_map_attribute equivalent in your ldap.conf file. I prefer to call it simply gidNumber.
For those that are reading this thread because you are having trouble getting Samba to use the primary GID you have set in AD, this is why:
The problem is that the idmap ad / idmap config <domain>: ad function in combination with either the schemamode = SFU or schemamode = rfc2307 and winbind nss info = rfc2307 or sfu, after Samba 3.3, no longer use the relevant gid for primary GID but default to the Windows primaryGroupID attribute, contrary to either schemas, so that populating the primary group attribute in AD (gidNumber) does not properly enumerate using getent passwd. It does enumerate using getent passwd <username> so it is inconsistent in that fashion.
idmap ad with schemamode rfc2307 in Samba 3 between 3.0.something and 3.3.0 worked as expected, where the primary gid enumerated by getent passwd would be the value of gidNumber. They changed idmap radically with 3.3 including the "feature" which I consider a bug, of using the Windows AD attribute primaryGroupID instead of the rfc2307 schema attribute gidNumber. They have for unknown reasons (because I can't find any wiki, blog, or mailing list entries that explain their thought processes) chosen to keep that bizarre default.
I wish they would at least allow an override, to allow the unix primary gid to be gleaned from the rfc2307 gidNumber attribute as it used to be, and still should be. It is preventing me from upgrading Samba.
While not a way to bend Samba into shape , I think it's worthwhile to mention that the 'newgrp' and 'sg' commands will reset the user's primary group after the initial login . This creates the same effect as configuring that within Samba / Winbind .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.