We’re trying to setup FreeIPA to be a good provider of UIDs and GIDs for our mostly RHEL systems. Overall, that works great. The issue I’m running into is that we need to have the same consistent UIDs and GIDs for our Isilon system which serves up both CIFS and NFS. Each user of the Isilon needs to have a UID so that the files are owned properly. The Isilon has a way of getting information from both Active Directory and an associated LDAP server. It gets its list of users and groups from AD, a list of users, UIDs, groups and GIDs from LDAP, and combine accounts that are the same. i.e. ADTEST.LOCAL\abrook and abrook from LDAP will the same user. However, FreeIPA will show abrook(as it sees through the Trust relationship with ADTEST.LOCAL) as abrook@adtest.local<mailto:abrook@adtest.local> instead of abrook, so the Isilon will see them as distinct accounts and won’t merge the information in them. I can’t, as far as I can tell right now, tell the Isilon to see users with @adtest.local as the same user without the domain. I can tell the Isilon to look at a different LDAP attribute as its username, but there is no attribute that has only the username.
I noticed in the documentation that if I were to do a sync with Active Directory (which isn’t something I want to do), I would get the ntDomainUserID attribute that is the same as the samAccountName. This doesn’t happen with a trust. Is there a way to get that in place with a custom attribute or pull more LDAP attributes from AD? Has anyone else run into a situation like this? If so, were you able to rectify that? If so, how? We have a ticket open with EMC for the Isilon as well, but want to make sure we’re coming at this from all the angles we can. Andy Brook Sr. Systems Administrator | Center for Research Informatics | University of Chicago T: 773-834-0458 | http://cri.uchicago.edu ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
