Hi all,

We asked this same question at discussions.apple.com, but figured we'd have
better luck here. I apologize in advance if this is the wrong forum.

We are switching from Synology (DSM 5) to Mavericks server (v3.1.1. running
in Mavericks 10.9.2) for File Sharing. We use a FreeIPA (ipa-server.x86_64
        3.0.0-37.el6) backend for SSO, and the Mac server seems correctly
bound to it. Unfortunately, although we can add usernames to the shares for
the initial config, the usernames transform to UIDs after (only for SSO
accounts; local accounts are not affected). That is, when we go to edit the
permissions for a share, all we see are UIDs. We can always figure out the
username from the UID, but this is an extra step we don't want to have.
We've tried reinstalling the Mac server app from scratch, re-binding to the
FreeIPA backend, changing mappings in Directory Utility (for example,
mapping GeneratedUID to uid, which is the username), recreating the shares
and permissions, etc. Here are more details about the binding:

* The binding happens thru a custom package we created based primarily on
* Sys Prefs, Users & Groups, Login Options show the server bound to the
FreeIPA backend with the green dot
* The following mappings are in place in Directory Utility, Services,
LDAPv3, FreeIPA backend

Users: inetOrgPerson
     AuthenticationAuthority: uid
     GeneratedUID: random number in uppercase
     HomeDirectory: #/Users/$uid$
     NFSHomeDirectory: #/Users/$uid$
     OriginalHomeDirectory: #/Users/$uid$
     PrimaryGroupID: gidNumber
     RealName: cn
     RecordName: uid
     UniqueID: uidNumber
     UserShell: loginShell
Groups: posixgroup
     PrimaryGroupID: gidNumber
     RecordName: cn

The search bases are correct

* Directory Utility, Directory Editor shows the right info for the users.
* $ id $USERNAME shows the right information for the user

FreeIPA is working beautifully for our Mac / Linux environment. We provide
directory services to about 300 hosts, and 200 employees using it; and
haven't had any problems LDAP wise until now. So we think we are missing a
mapping here. Any ideas?


Fredy Sanchez
IT Manager @ Modernizing Medicine
(561) 880-2998 x237

*Need IT support?* Visit https://mmit.zendesk.com


Freeipa-users mailing list

Reply via email to