Does your AD have SFU (or whatever it is called these days) set up? Ian
On Fri, Apr 22, 2016 at 12:58 PM, Michael Talbott <mtalb...@lji.org> wrote: > You're exactly right. The DN in ad is the full name and if I create a user > where the DN and shortname match, then everything works great. > Unfortunately, I'm not sure if updating all the DNs to match the short name > will break other dependancies of it deployed in existing software > elsewhere. One day when I'm feeling brave and have a little downtime > scheduled, I'll batch update all the entries and see if anything breaks. > But, I suppose I'm stuck with winbind for the time being. But thank you for > all the help. > > > > > On Apr 22, 2016, at 11:27 AM, Paul B. Henson <hen...@acm.org> wrote: > > > > On Thu, Apr 21, 2016 at 11:35:56PM -0700, Michael Talbott wrote: > > > >> all the group members are listed as "John Doe" rather than jdoe which > >> means that when jdoe logs in, he can't access his groups due to the > >> naming disconnect. Any ideas of how to fix that? Somehow map the group > >> members to samAccountName rather than the DN? > > > > How is your AD structured? It sounds like it's using full names for DN's > > rather than usernames? If so, that's not going to work. > > > > Our AD uses usernames for DN's; for example, I'm: > > > > dn: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu > > cn: henson > > sn: Henson > > givenName: Paul > > initials: B. > > distinguishedName: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu > > displayName: Paul B. Henson > > sAMAccountName: henson > > > > and if you look at a group I'm in: > > > > dn: CN=netadmin,OU=group,DC=ad,DC=cpp,DC=edu > > cn: netadmin > > description: Network admins > > member: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu > > distinguishedName: CN=netadmin,OU=group,DC=ad,DC=cpp,DC=edu > > sAMAccountName: netadmin > > > > So the RDN for both users and groups is the short name that a unix box > > expects to see, and the long name is in the displayName or description. > > I'm guessing you're using the full name as the CN and your users look > > like: > > > > dn: CN=Paul B. Henson,OU=user,DC=ad,DC=cpp,DC=edu > > > > so your group members look like: > > > > member: CN=Paul B. Henson,OU=user,DC=ad,DC=cpp,DC=edu > > > > If that's the case, I don't think there's any way you can get it to > > work. The rfc2307bis group support expects the RDN to be the username, > > there's no way to get it to look up some other attribute of the entry > > and use it instead. > > _______________________________________________ > OmniOS-discuss mailing list > OmniOS-discuss@lists.omniti.com > http://lists.omniti.com/mailman/listinfo/omnios-discuss > -- Ian Kaufman Research Systems Administrator UC San Diego, Jacobs School of Engineering ikaufman AT ucsd DOT edu
_______________________________________________ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss