AD with SFU 3.5 and OSX AD plugin mappings.

[xom]

Hello All,
I’m trying to figure out what the “map group GID to attribute” mapping in the OS X ad plugin would map to in AD with SFU schema extensions. I currently have the UID attribute going to msSFU30UidNumber and the user GID going to msSFU30GidNumber. I just can’t figure out the group GID attribute. I believe I need this for secondary group membership mappings for NFS mounts that I need folks to get to. Any help or insight would be great.
-xom

[xom]

For more clarification,
I’m trying to understand how secondary groups are handled by the AD plugin in Tiger. Currently User “foo” is a member of domain users which is mapped to users on the unix side. “foo” is also a member of “bar” which is alos mapped via SFU to a group on the unix side. Currently when I login as “foo” and run id in a shell I only see the primary group Domain users mapped to the correct GID number. After groups= there are a bunch of longer string presumably AD group translations that obviously the NFS mounts from the unix server won’t recognize. I can also cycle the primary group in AD for user “foo” to say the secondary group “bar” and get access to the NFS mount.
maybe this didn’t clarify anything…….

[xom]

[QUOTE BY= MacTroll] Secondary group memberships is an interesting question.

The AD plugin will use memberd to generate the long numbered ones that your seeing from the native groups. The GUID field in the AD plugin only referers to the user’s primary GroupID in their actual user record, IIRC. So.. that leaves how to get the AD plugin to see that you have non-AD style groups.

Using dscl are you able to see the other groups in the directory?[/QUOTE]

connecting to /Active Directory/mydomain.blah via dscl and running list /Groups gets me all of the groups in AD, just as read /Users gets me all of the users. I’m not super familiar with dscl, is there anything else I should be checking? My basic problem is that even though the apple client can see the AD group “foo” it doesn’t seem to know that this group is also mapped to an NIS group “foo” via SFU on the domain controller. Which is weird becuase that mapping relationship for the primary group for a user does come through when you run id on a user, i.e. nis group 100(users) is mapped to domain users. Thanks for the leads. This site has been a huge help and I look forward to the day I can give back with knowledge.

[xom]

[QUOTE BY= MacTroll] Looks like you’ll need to set up a secondary LDAP connection to AD, or… scary as this sounds, you could set up a NIS connection between OS X and AD. Is that how you’re feeding your other Unix machines?[/QUOTE]

The Unix boxes all bind to a Solaris NIS server. AD is not talking to it in any way currently.
I have bound apple clients via NIS before. As in they auth to our Solaris backend. There have been some issues with NFS performance/stability and user home dirs that made me look for other ways of integration (AD). I will look into a secondary LDAP connection to AD from the mac. hopefully someday soon we will be off of NIS completely and on openLDAP. Thanks.

[Author]

Posts