On Thu, Jul 30, 2015 at 12:27:00PM +0200, Domenico Viggiani wrote:
> > to preserve compatibility, I'd like to map the AD
users' default group
> > to a local Linux group.
> Mixing local groups with LDAP groups is not supported by sssd.
> BTW do you use POSIX attributes from AD or do you use ID mapping?
We use ID mapping (even if we already have POSIX extended attributes in AD and some day
in the future this could change)
> In case of ID mapping we generate group for user. It has the same GID
> as use UID.
OK
> > I don't want to add every AD user to the row in /etc/group and I don't
> > want to change default primary group of users in AD.
> >
> > Is there a group mapping function in SSSD? Or am I completely wrong?
> What is your use case or what do you want to achieve?
We have some local, applicative users, living in various dirs under /home but developers
are allowed to access the server by SSH/SCP only using personal AD credentials. Then they
want to be able to modify files freely without "su"-ing to applicative user.
Applicative dirs already have local group permissions that I cannot change; if I could
put AD users in this groups, not one by one but mapping local group to existing AD
security group, it would be great!
You can put any centralized account into a local group, but you need to
do it on all clients. I have an LDAP account "jhrozek" that is a member
of local group mock:
$ grep mock /etc/group
mock:x:135:jhrozek