4

We're in the process of moving from NIS on our Linux systems to binding everything to Active Directory. The NIS environment follows the common standard used by many Linux distributions that a user's primary group is a group of the same name as the user (and of which the user is typically the only member).

I have been informed that in the Active Directory environment, you may not have a group name with the same name as a user (specifically, that no two AD security objects may have the same name). This would seem to complicate the process of moving our group definitions into AD. It looks like we could maintain the NIS group information in AD using only POSIX attributes (e.g., not an actual AD security object), but that seems like a suboptimal fix (because we do really want to have the same view of group membership in both the Unix and AD worlds).

Have you moved a large legacy NIS environment into Active Directory? How did you handle this situation?

larsks
  • 41,276
  • 13
  • 117
  • 170

2 Answers2

1

I also ran into the same problem. After reading a lot of docs I came up with the following "solution":

  • To workaround the name clashes I renamed User Private Groups by adding a "g" character at the beginning. For example: User=erik, Group=erik. Now on active directory I named the group "gerik". This way I can continue concentrating on AD migration without thinking about the User Private Groups problem right now.

  • Slowly stop using User Private Groups as this does not seem to be the way to go - at least when using Active directory. This can be done by creating a new group like "unixgrp" or using "Domain Users", but I do not like "Domain Users" because that name is so long when displaying files with "ls".

  • be careful when migration from User Private Groups to a common group like "unixgrp". Do not just change the group of all files to "unixgrp". If for example a user has group write permissions on a file owned by his user private group and you change the group to "unixgrp", then all users in "unixgrp" will also have write access to that file. So some kind of script has to modify permissions the right way... have fun with that!

I admit that the only real solution whould be to somehow support User Private Groups when using active directory. But I do not know how...

Erik Thiele
  • 11
  • 1
0

Likewise has a product called The UID-GID Management Tool Module that can be used with Likewise Open to enhance your control over uid/gid mapping to Active Directory.

From the feature list:

Mirror your organizational units with Likewise cells and map Active Directory users and groups to UIDs and GIDs.

I have used Likewise Open and it works quite well but had no need to acquire this module.

chmeee
  • 7,270
  • 3
  • 29
  • 43