I'm not quite sure what questions to ask...

I have a Debian box used by 10 or 12 people on a university campus; most of
them are using it just as file-storage via Samba from their Windows/Macs
boxes; a few are ssh'ing into it, etc, for other usages; some have web
sites on it.

For years their accounts have been maintained as local accounts on that
Debian box, but as we're swapping out hardware, I'm also thinking it's time
to swap out account management to let our campus-wide Active Directory
provide their accounts instead of them (and me) having to maintain two
separate sets of account credentials (three, if you include the samba
file-sharing account on the old Debian setup).

After considerable hair-pulling, I've managed to get the box to
authenticate using their AD credentials, so that a user can simply ssh in
without having an account on the box, using their AD credentials. But of
course, their User IDs in AD are different than they were on the old Debian
box, so their file permissions are different.

Since it's just a dozen users or so, I can easily "id" their AD UID and
"chown -R" their files in their home directory (which have been copied over
manually from the old Debian box) to their AD UID.

But that leaves several questions:

1) If I just "chown -R", that changes the ownership of all the files,
regardless how the files may have been set-up on the old box. For example,
I notice in at least one web directory for one user, the files were owned
by www-data, with the group ownership set to the group name corresponding
to the user's name on the old box. Changing that ownership from "www-data"
to "joe_user" might break things. Is there a way to just chown the
ownership of files already owned by the old username?

2) The group that all the AD-authenticated users are in is "domain users".
That means that any files formerly owned by suzy:suzy are now owned by
suzy:"domain users", and if a file is set to 770 (or similar), any one of
the people logging in can access any other person's files as a member of
that group. Not good.

2a) What's the best route for dealing with this group ownership issue? Can
I remap the group for all AD-authenticated users to be their own username,
like it was in the old Debian setup? Is that even a good idea?

2b) I'm skittish of having spaces in group names (or files, etc), and would
rather that "domain users" be something like "domain_users"; does the AD
authentication process have some way of remapping that name to one without
spaces? (Or this may be a moot question, depending on the answer to 2a
above.)

3) Can I limit logins/file-sharing to just a subset of campus users (one
department, not just anyone having a campus account)?

4) I haven't even begun to think about how to tie this into their samba (or
is it "cifs" nowadays?) file shares. Any pointers dealing with that would
be appreciated.

Thanks!

-- 
Kent


-- 
Kent West                    <")))><
Westing Peacefully - http://kentwest.blogspot.com

Reply via email to