[Freeipa-users] FreeIPA backend. Mavericks server shows UIDs instead of usernames in File Sharing.

Rob Crittenden rcritten at redhat.com
Wed Apr 16 22:12:06 UTC 2014 

Fredy Sanchez wrote:
> Hi Simo,
>
> Thanks for your reply. Good old Google pointed me to
> https://github.com/rtrouton/rtrouton_scripts/blob/master/rtrouton_scripts/open-l
> dap_bind_script/Mac_OpenLDAP_bind_script.sh, which gave me the idea of
> updating the RealName mapping to displayName. This solved the problem,
> I'll have to recreate the permissions for every share, but the user
> names now show up, and stick. No more UIDs.

Great. Any chance you can write something and post a howto on our wiki? 
Or send the details to me and I'll write something up?

thanks

rob

>
>
> On Tue, Apr 15, 2014 at 9:30 AM, Simo Sorce <simo at redhat.com
> <mailto:simo at redhat.com>> wrote:
>
>     On Fri, 2014-04-11 at 10:37 -0400, Fredy Sanchez wrote:
>      > Hi all,
>      >
>      > We asked this same question at discussions.apple.com
>     <http://discussions.apple.com>, but figured we'd have
>      > better luck here. I apologize in advance if this is the wrong forum.
>      >
>      > We are switching from Synology (DSM 5) to Mavericks server
>     (v3.1.1. running
>      > in Mavericks 10.9.2) for File Sharing. We use a FreeIPA
>     (ipa-server.x86_64
>      >         3.0.0-37.el6) backend for SSO, and the Mac server seems
>     correctly
>      > bound to it. Unfortunately, although we can add usernames to the
>     shares for
>      > the initial config, the usernames transform to UIDs after (only
>     for SSO
>      > accounts; local accounts are not affected). That is, when we go
>     to edit the
>      > permissions for a share, all we see are UIDs. We can always
>     figure out the
>      > username from the UID, but this is an extra step we don't want to
>     have.
>      > We've tried reinstalling the Mac server app from scratch,
>     re-binding to the
>      > FreeIPA backend, changing mappings in Directory Utility (for example,
>      > mapping GeneratedUID to uid, which is the username), recreating
>     the shares
>      > and permissions, etc. Here are more details about the binding:
>      >
>      > * The binding happens thru a custom package we created based
>     primarily on
>      >
>     http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8
>      > * Sys Prefs, Users & Groups, Login Options show the server bound
>     to the
>      > FreeIPA backend with the green dot
>      > * The following mappings are in place in Directory Utility, Services,
>      > LDAPv3, FreeIPA backend
>      >
>      > Users: inetOrgPerson
>      >      AuthenticationAuthority: uid
>      >      GeneratedUID: random number in uppercase
>      >      HomeDirectory: #/Users/$uid$
>      >      NFSHomeDirectory: #/Users/$uid$
>      >      OriginalHomeDirectory: #/Users/$uid$
>      >      PrimaryGroupID: gidNumber
>      >      RealName: cn
>      >      RecordName: uid
>      >      UniqueID: uidNumber
>      >      UserShell: loginShell
>      > Groups: posixgroup
>      >      PrimaryGroupID: gidNumber
>      >      RecordName: cn
>      >
>      > The search bases are correct
>      >
>      > * Directory Utility, Directory Editor shows the right info for
>     the users.
>      > * $ id $USERNAME shows the right information for the user
>      >
>      > FreeIPA is working beautifully for our Mac / Linux environment.
>     We provide
>      > directory services to about 300 hosts, and 200 employees using
>     it; and
>      > haven't had any problems LDAP wise until now. So we think we are
>     missing a
>      > mapping here. Any ideas?
>
>     Fredy,
>     I quickly tried to check for some documentation on how to configure this
>     stuff, but found only useless superficial guides on how to find the
>     pointy/clicky buttons to push to enable the service.
>
>     I am not a Mac expert by a long shot so I cannot help you much here.
>
>     Is there any guide available on how to use this service with other LDAP
>     servers, like openLDAP or Active Directory ? We can probably draw some
>     conclusions from there.
>
>     Simo.
>
>     --
>     Simo Sorce * Red Hat, Inc * New York
>
>
>
>
> --
> Cheers,
>
> Fredy Sanchez
> IT Manager @ Modernizing Medicine
> (561) 880-2998 x237
> fredy.sanchez at modmed.com <mailto:fredy.sanchez at modmed.com>
>
> *Need IT support?* Visit https://mmit.zendesk.com
> <https://mmit.zendesk.com/>
>
>   *
>
>
>   * *
>     *
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list