AD -- GID issues
214 views
Skip to first unread message
Paul Letta
Feb 26, 2021, 4:54:24 PM2/26/21
to isilon-u...@googlegroups.com
Hello everyone.
Our AD has the attribute called gidNumber set for every user to match that user's GID on unix.
It also has this attribute called PrimaryGroupID.. which is set to 513 (Domain Users)
For a particular user, who is UID:GID 1162:101 on unix:
This may be causing problems with the user token creation on Isilon… its picking up both 101 and 513:
This is a snippet of isi auth mapping token:
…
Primary Group
Name: DOMAIN\domain users
GID: 101
SID: S-1-5-21-109xxxx34-14xxxx82-184xxx18-513
On Disk: 101
…
I think what I want to see is that for the Primary Group: Name and SID match the GID… or do I..?
Now I will say this… when I create files via NFS as the user, they get the correct UID:GID (1162:101)..
Maybe it doesn’t matter that the Isilon token has the PrimaryGroup set to something other than the GID.. as long as file creation uses the GID…
Could this be fixed with a user mapping rule.. I’ve not found anything close to what I want
(i.e. replace PrimaryGroupID with gidNumber)…
I just have the AD authentication source here, it has:
Services for UNIX: rfc2307
Store services for UNIX mappings: Yes
No NIS/LDAP auth sources configured.
Any advice out there? I'm running 9.1.0.4 - but see the same thing on 8.2.2
thanks,
paul
Our AD has the attribute called gidNumber set for every user to match that user's GID on unix.
It also has this attribute called PrimaryGroupID.. which is set to 513 (Domain Users)
For a particular user, who is UID:GID 1162:101 on unix:
This may be causing problems with the user token creation on Isilon… its picking up both 101 and 513:
This is a snippet of isi auth mapping token:
…
Primary Group
Name: DOMAIN\domain users
GID: 101
SID: S-1-5-21-109xxxx34-14xxxx82-184xxx18-513
On Disk: 101
…
I think what I want to see is that for the Primary Group: Name and SID match the GID… or do I..?
Now I will say this… when I create files via NFS as the user, they get the correct UID:GID (1162:101)..
Maybe it doesn’t matter that the Isilon token has the PrimaryGroup set to something other than the GID.. as long as file creation uses the GID…
Could this be fixed with a user mapping rule.. I’ve not found anything close to what I want
(i.e. replace PrimaryGroupID with gidNumber)…
I just have the AD authentication source here, it has:
Services for UNIX: rfc2307
Store services for UNIX mappings: Yes
No NIS/LDAP auth sources configured.
Any advice out there? I'm running 9.1.0.4 - but see the same thing on 8.2.2
thanks,
paul
mandar kolhe
Feb 28, 2021, 1:11:54 PM2/28/21
to isilon-u...@googlegroups.com
Hello Paul,
we have couple of options here
1) To create a mapping between gid's and sid's (please mention proper zone ID)
2) you can give permissions to those gids as well
3) you can enable rfc 4122 which will auto generated uid and gid from AD so if user comes from windows or unix it will have same gid
Thank you,
Mandar
--
You received this message because you are subscribed to the Google Groups "Isilon Technical User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isilon-user-gr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/isilon-user-group/CAAfag87-NogwYO9gcdKOiC%2BkCc%3DwR64PjtFSP-h8KkdZDVeZ9g%40mail.gmail.com.
Dan Pritts
Mar 12, 2021, 4:05:29 PM3/12/21
to 'Adam Fox' via Isilon Technical User Group
I don't have a solution but I've run into the same problem. I tried changing a user's default group in AD and it broke a bunch of stuff. I've mostly given up on the problem but have to fix group permissions periodically.
--
You received this message because you are subscribed to the Google Groups "Isilon Technical User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isilon-user-gr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/isilon-user-group/CAAfag87-NogwYO9gcdKOiC%2BkCc%3DwR64PjtFSP-h8KkdZDVeZ9g%40mail.gmail.com.
Dan Pritts
ICPSR Computing & Network Services
University of Michigan
Reply all
Reply to author
Forward
0 new messages