You have to have gid's associated with your AD groups to make use of your AD groups, there is no way around this.
This is the ldapclient command we use (note: in testing getent passwd returns AD error, you have to getent passwd <username>, this doesn't seem to affect the performance or usability of any of our solaris systems): ldapclient -v manual \ -a followReferrals=false \ -a "defaultServerList=1.2.3.4 1.2.3.5 1.2.3.6 1.2.3.7" \ -a credentialLevel=proxy \ -a authenticationMethod=simple \ -a proxyDN=CN=bind_user,CN=Users,DC=csc,DC=calpoly,DC=edu \ -a proxyPassword=bind_pw \ -a defaultSearchBase=dc=csc,dc=calpoly,dc=edu \ -a domainName=csc.calpoly.edu \ -a attributeMap=group:userpassword=userPassword \ -a attributeMap=group:memberuid=memberUid \ -a attributeMap=group:gidnumber=gidNumber \ -a attributeMap=passwd:gecos=gecos \ -a attributeMap=passwd:gidnumber=gidNumber \ -a attributeMap=passwd:uidnumber=uidNumber \ -a attributeMap=passwd:homedirectory=unixHomeDirectory \ -a attributeMap=passwd:loginshell=loginShell \ -a attributeMap=shadow:shadowflag=shadowFlag \ -a attributeMap=shadow:userpassword=userPassword \ -a objectClassMap=group:posixGroup=group \ -a objectClassMap=passwd:posixAccount=user \ -a objectClassMap=shadow:shadowAccount=user \ -a serviceSearchDescriptor=passwd:dc=csc,dc=calpoly,dc=edu?sub \ -a serviceSearchDescriptor=group:dc=csc,dc=calpoly,dc=edu?sub in AD: ad users+computers -> search ->(!!select your domain in the drop down, NOT "entire directory") -> search for your group right click-> properties -> UNIX Attributes select your nis domain, and specify a unique gid for your AD group. the sort of confusing part is that microsoft referes to NIS in many places where they should intend to say "services for unix". Also, if you search for everything in your directory, the unix attributes tab will be conveniently hidden. Josh On Mon, Sep 29, 2008 at 12:30 PM, Rob <[EMAIL PROTECTED]> wrote: > Hi All, > > On our solaris AD integration, we're using idmap and ldapclient with win2k3 > r2's SFU attributes to map permanent UID/GID's and other attributes to > users. One problem that we're running into is that microsoft has two > separate places in AD for group membership, one for normal AD groups and > one > for NIS/SFU groups. > > Is it possible to tell the solaris ldap client to use the AD groups for > group membership instead of the NIS/SFU posix groups? I've attached a copy > of > our current ldapclient join command, I hope it's as simple as modifying the > ldap attribute that solaris uses to lookup group membership? > > /usr/sbin/ldapclient -v manual \ > -a credentialLevel=proxy \ > -a authenticationMethod=simple \ > -a proxyDN=cn=user,dc=domain,dc=com \ > -a proxyPassword=password \ > -a defaultSearchBase=dc=domain,dc=com \ > -a domainName=domain.com \ > -a defaultServerList=dc1,dc2 \ > -a attributeMap=group:userpassword=userPassword \ > -a attributeMap=group:memberuid=memberUid \ > -a attributeMap=group:gidnumber=gidNumber \ > -a attributeMap=passwd:gecos=cn \ > -a attributeMap=passwd:gidnumber=gidNumber \ > -a attributeMap=passwd:uidnumber=uidNumber \ > -a attributeMap=passwd:homedirectory=unixHomeDirectory \ > -a attributeMap=passwd:loginshell=loginShell \ > -a attributeMap=shadow:shadowflag=shadowFlag \ > -a attributeMap=shadow:userpassword=userPassword \ > -a objectClassMap=group:posixGroup=group \ > -a objectClassMap=passwd:posixAccount=user \ > -a objectClassMap=shadow:shadowAccount=user \ > -a serviceSearchDescriptor=passwd:dc=domain,dc=com?sub \ > -a serviceSearchDescriptor=group:dc=domain,dc=com?sub > -- > This message posted from opensolaris.org > _______________________________________________ > sysadmin-discuss mailing list > [email protected] > http://mail.opensolaris.org/mailman/listinfo/sysadmin-discuss >
_______________________________________________ sysadmin-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/sysadmin-discuss
