[Freeipa-users] FreeIPA backend. Mavericks server shows UIDs instead of usernames in File Sharing.
Simo Sorce
simo at redhat.com
Tue Apr 15 13:30:53 UTC 2014
On Fri, 2014-04-11 at 10:37 -0400, Fredy Sanchez wrote:
> Hi all,
>
> We asked this same question at discussions.apple.com, but figured we'd have
> better luck here. I apologize in advance if this is the wrong forum.
>
> We are switching from Synology (DSM 5) to Mavericks server (v3.1.1. running
> in Mavericks 10.9.2) for File Sharing. We use a FreeIPA (ipa-server.x86_64
> 3.0.0-37.el6) backend for SSO, and the Mac server seems correctly
> bound to it. Unfortunately, although we can add usernames to the shares for
> the initial config, the usernames transform to UIDs after (only for SSO
> accounts; local accounts are not affected). That is, when we go to edit the
> permissions for a share, all we see are UIDs. We can always figure out the
> username from the UID, but this is an extra step we don't want to have.
> We've tried reinstalling the Mac server app from scratch, re-binding to the
> FreeIPA backend, changing mappings in Directory Utility (for example,
> mapping GeneratedUID to uid, which is the username), recreating the shares
> and permissions, etc. Here are more details about the binding:
>
> * The binding happens thru a custom package we created based primarily on
> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8
> * Sys Prefs, Users & Groups, Login Options show the server bound to the
> FreeIPA backend with the green dot
> * The following mappings are in place in Directory Utility, Services,
> LDAPv3, FreeIPA backend
>
> Users: inetOrgPerson
> AuthenticationAuthority: uid
> GeneratedUID: random number in uppercase
> HomeDirectory: #/Users/$uid$
> NFSHomeDirectory: #/Users/$uid$
> OriginalHomeDirectory: #/Users/$uid$
> PrimaryGroupID: gidNumber
> RealName: cn
> RecordName: uid
> UniqueID: uidNumber
> UserShell: loginShell
> Groups: posixgroup
> PrimaryGroupID: gidNumber
> RecordName: cn
>
> The search bases are correct
>
> * Directory Utility, Directory Editor shows the right info for the users.
> * $ id $USERNAME shows the right information for the user
>
> FreeIPA is working beautifully for our Mac / Linux environment. We provide
> directory services to about 300 hosts, and 200 employees using it; and
> haven't had any problems LDAP wise until now. So we think we are missing a
> mapping here. Any ideas?
Fredy,
I quickly tried to check for some documentation on how to configure this
stuff, but found only useless superficial guides on how to find the
pointy/clicky buttons to push to enable the service.
I am not a Mac expert by a long shot so I cannot help you much here.
Is there any guide available on how to use this service with other LDAP
servers, like openLDAP or Active Directory ? We can probably draw some
conclusions from there.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list