Do most groups in OD still reside in NetInfo and not LDAP?

[jerkyjerk]

I have a Linux client(CentOS 4, a RHEL clone) using OD and Kerberos for authentication.

The linux client has the home folders mounted via NFS from the Mac OS Server. Mac OS X Server version is 10.3.9 by the way. Everything works perfectly allowing me to login passwordlessly(is that a word?) to the linux machine from a Mac OS X client after getting a TGT. When setting up nss on the linux machine I id set groups to be pulled from LDAP. What I did notice was if I run “ls -al” on my home folder while logged into the Linux client it it doesn’t seem to know anything about the staff group instead it just lists it as GID only which is 20. So I poked around OD directly using some LDAP tools to get a close look at what it contains. Only one group exists in OD which is group admin with a GID 80. If I add another group called foo to OD running “getent group” on the linux client it will show foo listed at the bottom of the list which is what I would expect.

So the conclusion I’ve come to is that the bulk of the groups remain in NetInfo only and haven’t been added or moved to the LDAP portion of OD. Has anyone seen/fought with this same thing, and if so what did you do about it? I tried to create a group called staff(gid 20) in Workgroup Manager but it complained that the group already exists, which is what put me on the NetInfo trail. My initial idea is to wack the groups in NI and recreate them in OD, which would make them available to Linux, but I’m not sure what the side effects might be to OD or the OS in general. (I’ll probably have to setup a test machine to try that one on) I’m open to any ideas/suggestions.

jerky

[jerkyjerk]

One curiosity I have discovered while testing out deleting the NI staff group and creating one in LDAP. The group admin (GID 80) does actually appear in both OD datastores. Out of curiosity I wacked the NI admin group leaving only the one in LDAP. After I did that I could no longer log into any of the OD related tools(ie NetInfo Manager, Workgroup Manager IIRC Server Manager as well) using an OD administrative account. I was able to login to NetInfo Manager using root as the username, though. As root I was able to add the group and members back in. I’d definitely recommend staying away from the NI admin group. So it looks like Server relies on that group in some way and only consults NI for it. OD allows a duplicate of that group to. On a happier note, the staff group change worked just fine though. There are a few others I’d like to standardize as well like the www(it’s apache on RHEL/CentOS) group or the mysql group. But definitely be careful with what groups you decide to migrate over. Backups or ,even mo better, a separate test system are definately your best friend in this situation.

jerky

[Author]

Posts