1

Background: Our org has used NIS for 20+ years for UNIX/Linux authentication, continuing thru the present time. Windows and Active Directory came on the scene in our org sometime around 16 years ago, but AD was never used for Linux auth (only using RHEL/CentOS and Ubuntu Linux now, all other *nix has fallen by the wayside.) So, on all of our many Linux resources, we are still using traditional UID/GID ranges for users' files.

Now, management has finally dictated that we need to move to AD for Linux auth, and stop using NIS (no real argument there ;) and so we are working on utilizing SSSD to do this (which seems to be the popular [only?] way to integrate Linux auth against AD.) The issue we are facing is how to associate the old NIS-based UID and GID values for the users to their new AD-based identity. For instance, my AD-auth'd user on a test system has this from getent passwd -s sss wdennis:

root@vm01:~# getent passwd -s sss wdennis
wdennis:*:140001116:140000513:Will Dennis:/home/wdennis:/bin/bash

So obviously the UID/GID is auto-generated, and does not correspond with our current NIS values. In doing some research on AD and its schema, I see that the user attributes include the following:

  • uidNumber
  • gidNumber
  • unixHomeDirectory
  • loginShell

My question, can SSSD (or whatever we use to auth) somehow consume the values of uidNumber and gidNumber to map the existing UID/GID of files to the new AD-auth'd user? Or, how else can we associate the existing file ownership info to the AD-auth'd users? (Due to the number of files and machines having them, it's not really possible to chown the files to the new UID/GID vales...)

Will Dennis
  • 304
  • 4
  • 16

1 Answers1

1

Yes, sssd can use the POSIX attributes from AD instead of doing its own ID mapping.

In the section for your AD domain in /etc/sssd/sssd.conf, simply set ldap_id_mapping = false.

If you have already used sssd's automatic ID mapping on a computer, be sure to clear its cache before you restart sssd.

rm -f /var/lib/sss/db/*

When using realm join to join a new computer to the domain, include the command line option --automatic-id-mapping=no.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Works, thanks! One other question -- do you need the POSIX attrib's filled then on every user that wants to login via SSSD? Or is there a way to let some folks have those attrib's & SSSD uses them, and if not, it generates values? – Will Dennis Jul 21 '21 at 02:55
  • @WillDennis AFAIK it's one or the other for the entire domain, but I haven't touched one of these setups in several years. – Michael Hampton Jul 21 '21 at 02:57
  • And as an alternative to all this, consider putting your Linux systems in a FreeIPA domain and setting up a trust to AD. This isn't a solution to your UID issue, but it is a solution to issues you may have down the road, such as setting domain-wide sudo policies and other Linux-centric features FreeIPA provides and AD does not. – Michael Hampton Jul 21 '21 at 03:01