On Fri, 2014-04-11 at 10:37 -0400, Fredy Sanchez wrote:
> Hi all,
> We asked this same question at discussions.apple.com, but figured we'd have
> better luck here. I apologize in advance if this is the wrong forum.
> We are switching from Synology (DSM 5) to Mavericks server (v3.1.1. running
> in Mavericks 10.9.2) for File Sharing. We use a FreeIPA (ipa-server.x86_64
>         3.0.0-37.el6) backend for SSO, and the Mac server seems correctly
> bound to it. Unfortunately, although we can add usernames to the shares for
> the initial config, the usernames transform to UIDs after (only for SSO
> accounts; local accounts are not affected). That is, when we go to edit the
> permissions for a share, all we see are UIDs. We can always figure out the
> username from the UID, but this is an extra step we don't want to have.
> We've tried reinstalling the Mac server app from scratch, re-binding to the
> FreeIPA backend, changing mappings in Directory Utility (for example,
> mapping GeneratedUID to uid, which is the username), recreating the shares
> and permissions, etc. Here are more details about the binding:
> * The binding happens thru a custom package we created based primarily on
> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8
> * Sys Prefs, Users & Groups, Login Options show the server bound to the
> FreeIPA backend with the green dot
> * The following mappings are in place in Directory Utility, Services,
> LDAPv3, FreeIPA backend
> Users: inetOrgPerson
>      AuthenticationAuthority: uid
>      GeneratedUID: random number in uppercase
>      HomeDirectory: #/Users/$uid$
>      NFSHomeDirectory: #/Users/$uid$
>      OriginalHomeDirectory: #/Users/$uid$
>      PrimaryGroupID: gidNumber
>      RealName: cn
>      RecordName: uid
>      UniqueID: uidNumber
>      UserShell: loginShell
> Groups: posixgroup
>      PrimaryGroupID: gidNumber
>      RecordName: cn
> The search bases are correct
> * Directory Utility, Directory Editor shows the right info for the users.
> * $ id $USERNAME shows the right information for the user
> FreeIPA is working beautifully for our Mac / Linux environment. We provide
> directory services to about 300 hosts, and 200 employees using it; and
> haven't had any problems LDAP wise until now. So we think we are missing a
> mapping here. Any ideas?

I quickly tried to check for some documentation on how to configure this
stuff, but found only useless superficial guides on how to find the
pointy/clicky buttons to push to enable the service.

I am not a Mac expert by a long shot so I cannot help you much here.

Is there any guide available on how to use this service with other LDAP
servers, like openLDAP or Active Directory ? We can probably draw some
conclusions from there.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to