It does have the unix extensions on it which is how I was able to get this far (set uids/gids/etc in AD). But I don't have the old windows NIS service running though, so I don't use the SFU30 or whatever attributes since I believe those are all obsoleted and will soon likely disappear.
________________________ Michael Talbott Systems Administrator La Jolla Institute > On Apr 22, 2016, at 1:18 PM, Ian Kaufman <[email protected]> wrote: > > Does your AD have SFU (or whatever it is called these days) set up? > > Ian > > On Fri, Apr 22, 2016 at 12:58 PM, Michael Talbott <[email protected] > <mailto:[email protected]>> wrote: > You're exactly right. The DN in ad is the full name and if I create a user > where the DN and shortname match, then everything works great. Unfortunately, > I'm not sure if updating all the DNs to match the short name will break other > dependancies of it deployed in existing software elsewhere. One day when I'm > feeling brave and have a little downtime scheduled, I'll batch update all the > entries and see if anything breaks. But, I suppose I'm stuck with winbind for > the time being. But thank you for all the help. > > > > > On Apr 22, 2016, at 11:27 AM, Paul B. Henson <[email protected] > > <mailto:[email protected]>> wrote: > > > > On Thu, Apr 21, 2016 at 11:35:56PM -0700, Michael Talbott wrote: > > > >> all the group members are listed as "John Doe" rather than jdoe which > >> means that when jdoe logs in, he can't access his groups due to the > >> naming disconnect. Any ideas of how to fix that? Somehow map the group > >> members to samAccountName rather than the DN? > > > > How is your AD structured? It sounds like it's using full names for DN's > > rather than usernames? If so, that's not going to work. > > > > Our AD uses usernames for DN's; for example, I'm: > > > > dn: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu > > cn: henson > > sn: Henson > > givenName: Paul > > initials: B. > > distinguishedName: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu > > displayName: Paul B. Henson > > sAMAccountName: henson > > > > and if you look at a group I'm in: > > > > dn: CN=netadmin,OU=group,DC=ad,DC=cpp,DC=edu > > cn: netadmin > > description: Network admins > > member: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu > > distinguishedName: CN=netadmin,OU=group,DC=ad,DC=cpp,DC=edu > > sAMAccountName: netadmin > > > > So the RDN for both users and groups is the short name that a unix box > > expects to see, and the long name is in the displayName or description. > > I'm guessing you're using the full name as the CN and your users look > > like: > > > > dn: CN=Paul B. Henson,OU=user,DC=ad,DC=cpp,DC=edu > > > > so your group members look like: > > > > member: CN=Paul B. Henson,OU=user,DC=ad,DC=cpp,DC=edu > > > > If that's the case, I don't think there's any way you can get it to > > work. The rfc2307bis group support expects the RDN to be the username, > > there's no way to get it to look up some other attribute of the entry > > and use it instead. > > _______________________________________________ > OmniOS-discuss mailing list > [email protected] <mailto:[email protected]> > http://lists.omniti.com/mailman/listinfo/omnios-discuss > <http://lists.omniti.com/mailman/listinfo/omnios-discuss> > > > > -- > Ian Kaufman > Research Systems Administrator > UC San Diego, Jacobs School of Engineering ikaufman AT ucsd DOT edu
_______________________________________________ OmniOS-discuss mailing list [email protected] http://lists.omniti.com/mailman/listinfo/omnios-discuss
