[xom]

Hi from what I have read, it is suggested to extend your existing ldap schema to include the apple attributes.
This guy has a pretty good blog entry about it:
http://rajeev.name/blog/2006/09/09/integrating-mac-os-x-into-unix-ldap-environment-with-nfs-home-directories/

[xom]

[QUOTE BY= MacTroll] Looks like you’ll need to set up a secondary LDAP connection to AD, or… scary as this sounds, you could set up a NIS connection between OS X and AD. Is that how you’re feeding your other Unix machines?[/QUOTE]

The Unix boxes all bind to a Solaris NIS server. AD is not talking to it in any way currently.
I have bound apple clients via NIS before. As in they auth to our Solaris backend. There have been some issues with NFS performance/stability and user home dirs that made me look for other ways of integration (AD). I will look into a secondary LDAP connection to AD from the mac. hopefully someday soon we will be off of NIS completely and on openLDAP. Thanks.

[xom]

[QUOTE BY= MacTroll] Secondary group memberships is an interesting question.

The AD plugin will use memberd to generate the long numbered ones that your seeing from the native groups. The GUID field in the AD plugin only referers to the user’s primary GroupID in their actual user record, IIRC. So.. that leaves how to get the AD plugin to see that you have non-AD style groups.

Using dscl are you able to see the other groups in the directory?[/QUOTE]

connecting to /Active Directory/mydomain.blah via dscl and running list /Groups gets me all of the groups in AD, just as read /Users gets me all of the users. I’m not super familiar with dscl, is there anything else I should be checking? My basic problem is that even though the apple client can see the AD group “foo” it doesn’t seem to know that this group is also mapped to an NIS group “foo” via SFU on the domain controller. Which is weird becuase that mapping relationship for the primary group for a user does come through when you run id on a user, i.e. nis group 100(users) is mapped to domain users. Thanks for the leads. This site has been a huge help and I look forward to the day I can give back with knowledge.

[xom]

For more clarification,
I’m trying to understand how secondary groups are handled by the AD plugin in Tiger. Currently User “foo” is a member of domain users which is mapped to users on the unix side. “foo” is also a member of “bar” which is alos mapped via SFU to a group on the unix side. Currently when I login as “foo” and run id in a shell I only see the primary group Domain users mapped to the correct GID number. After groups= there are a bunch of longer string presumably AD group translations that obviously the NFS mounts from the unix server won’t recognize. I can also cycle the primary group in AD for user “foo” to say the secondary group “bar” and get access to the NFS mount.
maybe this didn’t clarify anything…….

[xom]

ok so I found an attribute in the schema for the user shell:
msSFU30LoginShell
It has an attribute ID of 1.2.840.113556.1.6.18.1.312
I will replace what is in the AD plist for user shell with that string and see if it takes.
-xom

[xom]

Ah I see. Yes I am looking for a way to map the shell entry value from the SFU entries to the AD schema to something the Apple understands. That way I can control the shell type on per user basis from AD.
thanks,
xom.

[xom]

[QUOTE BY= MacTroll] [QUOTE BY= xom]
Do you mean use dsconfigad and map the shell preference for the specific user?[/QUOTE]

Well, you won’t be able to map per user. Instead you can map all users to a shell set in each user’s SFU shell attribute in AD.[/QUOTE]

ahh, so there IS a way to do other mappings besides what is in the GUI plugin. I’ve been playing with different ways to map our unix user GIDs to what SFU adschema entrys are.
cool thanks,
xom

[xom]

[QUOTE BY= MacTroll] With SFU did you give every user in AD a shell?

By default we won’t map that, but you can using dsconfigad and doing a static map.

If you don’t have it in AD, and you’re not going to put it in there, you’re correct that there really isn’t an easy way to do it.

What’s wrong with bash, anyway? [/QUOTE]

Do you mean use dsconfigad and map the shell preference for the specific user?
I like bash and t but this CS prof. wants z.

[xom]

Hi does anyone know what to use for the other two mapping fields?
I’ve tried msSFU30GidNumber in both group fields but when I logon the group is still set to “unkown” on the mac.
Thanks,
xom

[xom]

Ok I have spent about 4 days of work time on this.
I am totally at a loss in what to do. It would seem to be an easy problem to fix. Perhapse a config setting somewhere, either on the solaris side in smb.conf or with the apple smb client.
I just don’t understand why I can’t change any file permissions on a smb share mounted on a mac. Makes no sense especially when I CAN do it from a windows box.
grrrrrrrr

[xom]

Update:
I tried mannually mounting the share via mount_smbfs
Since it defaults to whatever the owner and group IDs from the directory where the volume is mounted, I got 755 for all the files. But when I chmod anything the change doesn’t take.
Is there something seriously wrong with the samba client in Tiger?

[Author]

Posts