How to define default GID using Active Directory
Hi Folks,
I hope some Unix gurus/experts will be able to help me. :)
This issue is getting me crazy since 2 days.
Here is the context. I'm working for a small startup (less than 10 guys).
Beside my principal job, I'm in charge of the CAD/IT. Meaning I'm definitely not an IT expert.
In our company with got a PDC running on Windows Server 2012R2 with Active Directory.
Most engineers are working under Linux (RHEL servers) from a Windows laptop.
Thanks to RedHat documentations, I configured Samba/Winbind/KRB5/PAM/NSS in order to have unique credentials for both Windows/Linux environments. I used the RID method.
Everything has been working perfectly for the last 5 past years.
This week my boss asked me to add some "separation" mechanism because some external guys will be working for us during few months.
My plan was to create an external (or whatever name) group to control the access in the Linux servers.
The troubles start here.
Whatever I do in the AD, the external users are always associated to the Domain Users GID by default. :(
In my current setup, I added 2 groups to split internal employees and external sub-contractors.
Here is what I got with the command
getent groupdomain users:x:1513: linuxusers:x:3171: linuxexternal:x:3172:
The idea is to not use anymore the default GID 1513.
I want to switch all employees from the GID 1513 to the GID 3171.
The sub-contractors will be member of the GID 3172.
Thus I will be able to control who can access what in the Linux environment.
When I created the new groups in my AD, I do see them using the
idThe test users are member of the newly created groups from AD.
But, this is my problem, theirs default GID is 1513 (domain users).
This is not what I want.
uid=3175(tstext) gid=1513(users) groups=1513(users),3172(linuxexternal),3175(tstext) uid=2115(tstint) gid=1513(users) groups=1513(users),3171(linuxusers),3172(linuxexternal),2115(tstint)
All I want is to be able to specify the default GID per user from Active Directory.
I spent the last 2 days trying several different solutions with no result. :(
Any help would be very very welcome.
I'm quite desperate.
BR,
Seb
Here are the settings on our RHEL servers.
/etc/krb5.conf… default_realm = IDDO.LOCAL … [realms] IDDO.LOCAL = { kdc = 192.168.14.10 admin_server = iddo-pdc.iddo.local default_domain = IDDO.LOCAL } [domain_realm] .iddo.local = IDDO.LOCAL iddo.local = IDDO.LOCAL
/etc/samba/smb.conf… [global] workgroup = IDDO security = ads realm = IDDO.LOCAL template shell = /bin/bash template homedir = /home/%D/%U winbind use default domain = true winbind offline logon = true winbind enum users = yes winbind enum groups = yes winbind nested groups = no idmap config * : backend = tdb idmap config * : range = 10000-19999 idmap config IDDO : backend = rid idmap config IDDO : base_rid = 0 idmap config IDDO : range = 1000-9999 …
etc/pam.d/system-authetc/pam.d/password-auth… auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so … account sufficient pam_succeed_if.so uid 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so … password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so … session required pam_unix.so session optional pam_winbind.so
/etc/nsswitch.conf… passwd: files winbind shadow: files winbind group: files winbind …
Here, I directly modify the Linux group config (probably I should have used the command
net groupmap add/etc/group… users:x:1513: …
/etc/default/useradd… GROUP=1513 …
Responses