Adding AD user to a Local Primary Group?

Uday123 · 09-14-2009, 08:56 AM

Hi,

My RHL machine is integrated with Active Directory.

By default my AD user primary group is "Domain Users" but I would like to change that to a local Linux group. Somehow usermod command is not allowing to make tle Local Linux group as primary group for ADuser.

# usermod -g localprimarygrp ad_service_account
usermod: ad_service_account not found in /etc/passwd

But "getent passwd" listing all my AD user list with proper UID,GID,HomeDir,defaultshell (considering the entries r present in /etc/passwd).

So how can I add my AD user to a local primary group without editing(adding) any entries in /etc/passwd.

Thanks in advance.

acid_kewpie · 09-14-2009, 09:43 AM

either set the users gid in AD to the relevant gid of the group you want (to make it its primary group) or add the user to the local group in /etc/group. I think the latter should work to be an additional member, not 100% sure though.

ramram29 · 09-14-2009, 09:55 AM

This is a very tough one. First of all you'll have to use kerberos authentication or AD will not allow authentication and authorization. You'll have to use nscd for caching accounts also. Last you are going to have to modify ldap.conf to map posix attributes with the ldap attributes that you add to AD (you can do that using Unix Services for Windows). You can also use samba winbind if you are going to create shares between your linux and windows servers. Last modify PAM modules in order to create authentication permissions. It took me a while to do this but it can be done.

Uday123 · 09-14-2009, 10:13 AM

Thanks ramram29, acid_kewpie.

I am using samba+winbind for AD integration. Right now I am able to login with AD users without any issues. but for one of my requirement the AD user should be part of a primary group. While installing software with AD user, the folder structure is owned by <ad user>:<default ad group>. But I want <ad user>:<local group>. That is possible only if we can make the local group as a primary group for AD user. How can we do this?

Thanks in advance.

acid_kewpie · 09-14-2009, 03:13 PM

As I already said, can't you just set it within AD?

ramram29 · 09-14-2009, 03:31 PM

Quote:

Originally Posted by Uday123

While installing software with AD user, the folder structure is owned by <ad user>:<default ad group>. But I want <ad user>:<local group>. That is possible only if we can make the local group as a primary group for AD user. How can we do this?

One way is to set the sticky bit so that the directories and subdirectories get the same group ownership.

chown localgroup /home/share
chmod 2775 /home/share

From then on every subdirectory will get the localgroup group owership.

The other solution would be to give the AD group the same gidnumber as the localgroup then assign that as the default group to the users. but I don't like doing this cause it can become confusing.

acid_kewpie · 09-14-2009, 03:38 PM

I'm missing something, or you are really over thinking this one... should be real simple the way I read it, and certainly not a "very tough one".

Uday123 · 09-15-2009, 05:55 AM

Thanks a lot for your replies.

This is what I am planning to do. Kindly review.
1. Create a ADgroup and make it as primary group for our ADuser.
2. findout the GID number of ADgroup. (id ADuser - will list the UID,GID numbers)
3. Replace the GID number of localgroup with ADgroup GID number.

Now the ADuser is a member of localgroup (i.e primary group).

acid_kewpie · 09-15-2009, 07:41 AM

no. just create a local group and take it's gid number, and insert it into the AD user account details.

ramram29 · 09-15-2009, 04:56 PM

Uday, you're on the right track. What you can do is create an AD group and assign its gidNumber value to be the same as the gidNumber of the localgroup. For example if your new Linux group is called myusers(1001) then create an AD group called myusers and make sure it's gidNumber value is set to 1001. The attribute for the gidNumber can be called anything, then you'll have to map the attribute with the POSIX nss_map_attribute equivalent in your ldap.conf file. I prefer to call it simply gidNumber.

jstalewski · 02-24-2011, 02:55 PM

For those that are reading this thread because you are having trouble getting Samba to use the primary GID you have set in AD, this is why:

The problem is that the idmap ad / idmap config <domain>: ad function in combination with either the schemamode = SFU or schemamode = rfc2307 and winbind nss info = rfc2307 or sfu, after Samba 3.3, no longer use the relevant gid for primary GID but default to the Windows primaryGroupID attribute, contrary to either schemas, so that populating the primary group attribute in AD (gidNumber) does not properly enumerate using getent passwd. It does enumerate using getent passwd <username> so it is inconsistent in that fashion.

idmap ad with schemamode rfc2307 in Samba 3 between 3.0.something and 3.3.0 worked as expected, where the primary gid enumerated by getent passwd would be the value of gidNumber. They changed idmap radically with 3.3 including the "feature" which I consider a bug, of using the Windows AD attribute primaryGroupID instead of the rfc2307 schema attribute gidNumber. They have for unknown reasons (because I can't find any wiki, blog, or mailing list entries that explain their thought processes) chosen to keep that bizarre default.

I wish they would at least allow an override, to allow the unix primary gid to be gleaned from the rfc2307 gidNumber attribute as it used to be, and still should be. It is preventing me from upgrading Samba.

mariochamorro · 05-23-2011, 03:06 PM

While not a way to bend Samba into shape , I think it's worthwhile to mention that the 'newgrp' and 'sg' commands will reset the user's primary group after the initial login . This creates the same effect as configuring that within Samba / Winbind .

[~] sg --help
Usage: sg group [[-c] command]

[~] newgrp --help
Usage: newgrp [-] [group]

[~]