On Mon, Jul 01, 2013 at 06:04:57AM +0000, greg.lehm...@csiro.au wrote: > I missed this reply and had to go looking for it, so this is a bit late. > > The RFE mentioned below does not sound like what I am after. We already have > the gidNumber attribute for users set in AD to what we need. In fact all our > required user Unix attributes are set. What is missing is the ability to do a > lookup on that gid and get the name of the group (it should equal the > userid/username.) We would like an ls -l to show a group name rather than a > gid when it is run on files which have a private group. One way to do this > would be to lookup on uidNumber in users if the gidNumber lookup in Groups > fails.
If I understand it correctly you currently set the gidNumber manually to the same value a uidNumber in AD but do not create a group object with this gidNumber as well. By default SSSD use the objectclass given by the ldap_group_object_class to find groups which is typically 'group' for AD. To make you setup work you should set ldap_group_object_class to an objectclass which is shared by user and group objects. Unfortunately I think this it only 'top'. With this SSSD should be able to find user and group objects when there is a group search request with a given gidNumber. Luckily AD does not allow user and group objects to have the same name, because otherwise name based lookups will end in a mess. Nevertheless there is no guarantee that there is no group object with the same gidNumber, in this case you get a conflict and the name cannot be resolved. HTH bye, Sumit > > Thanks, > > Greg > > > -----Original Message----- > > From: sssd-devel-boun...@lists.fedorahosted.org [mailto:sssd-devel- > > boun...@lists.fedorahosted.org] On Behalf Of Jakub Hrozek > > Sent: Tuesday, 25 June 2013 6:38 PM > > To: sssd-devel@lists.fedorahosted.org > > Subject: Re: [SSSD] question on private groups with AD domain > > > > On Mon, Jun 24, 2013 at 11:32:46PM +0000, greg.lehm...@csiro.au wrote: > > > Hi All, > > > Red Hat tend to configure users by default with > > uid=gid when a user is created. This means there is a corresponding > > private group with the same name as the user. It is not possible to do > > this in AD without a bit of trickery. Is there any way to configure > > sssd so it tries to map the gid through the user uid-name mapping if no > > match is found on the gid to group name mapping? If not can I request > > this feature be added please? > > > > > > TIA, > > > > Hi Greg, > > This RFE is being tracked in https://fedorahosted.org/sssd/ticket/1872 > > > > There is also some workaround mentioned in the ticket. Alternatively, > > you can check out the "override_gid" option in the sssd.conf man page. > > _______________________________________________ > > sssd-devel mailing list > > sssd-devel@lists.fedorahosted.org > > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
