Score:1

Linux: Converting from NIS to AD auth, how to associate old UID/GID to "new" users?

cn flag

Background: Our org has used NIS for 20+ years for UNIX/Linux authentication, continuing thru the present time. Windows and Active Directory came on the scene in our org sometime around 16 years ago, but AD was never used for Linux auth (only using RHEL/CentOS and Ubuntu Linux now, all other *nix has fallen by the wayside.) So, on all of our many Linux resources, we are still using traditional UID/GID ranges for users' files.

Now, management has finally dictated that we need to move to AD for Linux auth, and stop using NIS (no real argument there ;) and so we are working on utilizing SSSD to do this (which seems to be the popular [only?] way to integrate Linux auth against AD.) The issue we are facing is how to associate the old NIS-based UID and GID values for the users to their new AD-based identity. For instance, my AD-auth'd user on a test system has this from getent passwd -s sss wdennis:

root@vm01:~# getent passwd -s sss wdennis
wdennis:*:140001116:140000513:Will Dennis:/home/wdennis:/bin/bash

So obviously the UID/GID is auto-generated, and does not correspond with our current NIS values. In doing some research on AD and its schema, I see that the user attributes include the following:

  • uidNumber
  • gidNumber
  • unixHomeDirectory
  • loginShell

My question, can SSSD (or whatever we use to auth) somehow consume the values of uidNumber and gidNumber to map the existing UID/GID of files to the new AD-auth'd user? Or, how else can we associate the existing file ownership info to the AD-auth'd users? (Due to the number of files and machines having them, it's not really possible to chown the files to the new UID/GID vales...)

Score:1
cz flag

Yes, sssd can use the POSIX attributes from AD instead of doing its own ID mapping.

In the section for your AD domain in /etc/sssd/sssd.conf, simply set ldap_id_mapping = false.

If you have already used sssd's automatic ID mapping on a computer, be sure to clear its cache before you restart sssd.

rm -f /var/lib/sss/db/*

When using realm join to join a new computer to the domain, include the command line option --automatic-id-mapping=no.

cn flag
Works, thanks! One other question -- do you need the POSIX attrib's filled then on every user that wants to login via SSSD? Or is there a way to let some folks have those attrib's & SSSD uses them, and if not, it generates values?
Michael Hampton avatar
cz flag
@WillDennis AFAIK it's one or the other for the entire domain, but I haven't touched one of these setups in several years.
Michael Hampton avatar
cz flag
And as an alternative to all this, consider putting your Linux systems in a FreeIPA domain and setting up a trust to AD. This isn't a solution to your UID issue, but it is a solution to issues you may have down the road, such as setting domain-wide sudo policies and other Linux-centric features FreeIPA provides and AD does not.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.