Well, that was easy enough. Just needed to understand a bit more of the AD OU structure here. (Sanitized a bit for now).
-bash-3.2$ touch foo bar baz quux -bash-3.2$ ls -l total 0 -rw-r--r-- 1 hcoyote UNIXTEST-test 0 Jun 3 16:59 bar -rw-r--r-- 1 hcoyote UNIXTEST-test 0 Jun 3 16:59 baz -rw-r--r-- 1 hcoyote UNIXTEST-test 0 Jun 3 16:59 foo -rw-r--r-- 1 hcoyote UNIXTEST-test 0 Jun 3 16:59 quux -bash-3.2$ id uid=66000(hcoyote) gid=66000(UNIXTEST-test) groups=66000(UNIXTEST-test) -bash-3.2$ getent group UNIXTEST-test UNIXTEST-test:*:66000:hcoyote,member2,member3 -bash-3.2$ getent group root:x:0:root bin:x:1:root,bin,daemon daemon:x:2:root,bin,daemon sys:x:3:root,bin,adm adm:x:4:root,adm,daemon tty:x:5: disk:x:6:root lp:x:7:daemon,lp . . . stapdev:x:101: stapusr:x:102: avahi-autoipd:x:103: UNIXTEST-test:*:66000:hcoyote,effie,csoto
UNIXTEST-test is the group name for gid 66000 in Active Directory. Everything listed before this group comes straight from the local group file because we’re using the appropriate configuration in nsswitch.conf.
This was solved by adding the following to the ldap.conf:
nss_base_group ou=Departments,?sub?&(objectCategory=group)(gidNumber=*)
Also, you need to modify nsswitch.conf to be:
group: files ldap
One step closer. Next: account authorization via group membership. In other words, only let someone use a resource if they exist in a specific group. Need to figure out if this should be done via netgroup or unix group membership. Off to research!
Travis Campbell is a seasoned Linux Systems Engineer with nearly two decades of experience, ranging from dozens to tens of thousands of systems in the semiconductor industry, higher education, and high volume sites on the web. His current focus is on High Performance Computing, Big Data environments, and large scale web architectures.