[Freeipa-users] FreeIPA backend. Mavericks server shows UIDs instead of usernames in File Sharing.

Fredy Sanchez fredy.sanchez at modmed.com
Wed Apr 16 22:40:48 UTC 2014 

Sure Rob, we'll put something together and send it to you for publishing.
Give us a few days. We'll also sanitize our enrollment package and share it
w/ you too. This is what we use to enroll our Macs, a one time install that
does what ipa-client-install does for Linux, including these LDAP mappings.
We love FreeIPA and will be really happy if this helps any other users with
Mac fleets.


On Wed, Apr 16, 2014 at 6:12 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Fredy Sanchez wrote:
>
>> Hi Simo,
>>
>> Thanks for your reply. Good old Google pointed me to
>> https://github.com/rtrouton/rtrouton_scripts/blob/master/
>> rtrouton_scripts/open-l
>> dap_bind_script/Mac_OpenLDAP_bind_script.sh, which gave me the idea of
>> updating the RealName mapping to displayName. This solved the problem,
>> I'll have to recreate the permissions for every share, but the user
>> names now show up, and stick. No more UIDs.
>>
>
> Great. Any chance you can write something and post a howto on our wiki? Or
> send the details to me and I'll write something up?
>
> thanks
>
> rob
>
>
>>
>> On Tue, Apr 15, 2014 at 9:30 AM, Simo Sorce <simo at redhat.com
>> <mailto:simo at redhat.com>> wrote:
>>
>>     On Fri, 2014-04-11 at 10:37 -0400, Fredy Sanchez wrote:
>>      > Hi all,
>>      >
>>      > We asked this same question at discussions.apple.com
>>     <http://discussions.apple.com>, but figured we'd have
>>
>>      > better luck here. I apologize in advance if this is the wrong
>> forum.
>>      >
>>      > We are switching from Synology (DSM 5) to Mavericks server
>>     (v3.1.1. running
>>      > in Mavericks 10.9.2) for File Sharing. We use a FreeIPA
>>     (ipa-server.x86_64
>>      >         3.0.0-37.el6) backend for SSO, and the Mac server seems
>>     correctly
>>      > bound to it. Unfortunately, although we can add usernames to the
>>     shares for
>>      > the initial config, the usernames transform to UIDs after (only
>>     for SSO
>>      > accounts; local accounts are not affected). That is, when we go
>>     to edit the
>>      > permissions for a share, all we see are UIDs. We can always
>>     figure out the
>>      > username from the UID, but this is an extra step we don't want to
>>     have.
>>      > We've tried reinstalling the Mac server app from scratch,
>>     re-binding to the
>>      > FreeIPA backend, changing mappings in Directory Utility (for
>> example,
>>      > mapping GeneratedUID to uid, which is the username), recreating
>>     the shares
>>      > and permissions, etc. Here are more details about the binding:
>>      >
>>      > * The binding happens thru a custom package we created based
>>     primarily on
>>      >
>>     http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.
>> 2F10.8
>>      > * Sys Prefs, Users & Groups, Login Options show the server bound
>>     to the
>>      > FreeIPA backend with the green dot
>>      > * The following mappings are in place in Directory Utility,
>> Services,
>>      > LDAPv3, FreeIPA backend
>>      >
>>      > Users: inetOrgPerson
>>      >      AuthenticationAuthority: uid
>>      >      GeneratedUID: random number in uppercase
>>      >      HomeDirectory: #/Users/$uid$
>>      >      NFSHomeDirectory: #/Users/$uid$
>>      >      OriginalHomeDirectory: #/Users/$uid$
>>      >      PrimaryGroupID: gidNumber
>>      >      RealName: cn
>>      >      RecordName: uid
>>      >      UniqueID: uidNumber
>>      >      UserShell: loginShell
>>      > Groups: posixgroup
>>      >      PrimaryGroupID: gidNumber
>>      >      RecordName: cn
>>      >
>>      > The search bases are correct
>>      >
>>      > * Directory Utility, Directory Editor shows the right info for
>>     the users.
>>      > * $ id $USERNAME shows the right information for the user
>>      >
>>      > FreeIPA is working beautifully for our Mac / Linux environment.
>>     We provide
>>      > directory services to about 300 hosts, and 200 employees using
>>     it; and
>>      > haven't had any problems LDAP wise until now. So we think we are
>>     missing a
>>      > mapping here. Any ideas?
>>
>>     Fredy,
>>     I quickly tried to check for some documentation on how to configure
>> this
>>     stuff, but found only useless superficial guides on how to find the
>>     pointy/clicky buttons to push to enable the service.
>>
>>     I am not a Mac expert by a long shot so I cannot help you much here.
>>
>>     Is there any guide available on how to use this service with other
>> LDAP
>>     servers, like openLDAP or Active Directory ? We can probably draw some
>>     conclusions from there.
>>
>>     Simo.
>>
>>     --
>>     Simo Sorce * Red Hat, Inc * New York
>>
>>
>>
>>
>> --
>> Cheers,
>>
>> Fredy Sanchez
>> IT Manager @ Modernizing Medicine
>> (561) 880-2998 x237
>> fredy.sanchez at modmed.com <mailto:fredy.sanchez at modmed.com>
>>
>> *Need IT support?* Visit https://mmit.zendesk.com
>> <https://mmit.zendesk.com/>
>>
>>   *
>>
>>
>>   * *
>>     *
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>


-- 
Cheers,

Fredy Sanchez
IT Manager @ Modernizing Medicine
(561) 880-2998 x237
fredy.sanchez at modmed.com

*Need IT support?* Visit https://mmit.zendesk.com

   -


   -
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140416/39b83d81/attachment.htm>

More information about the Freeipa-users mailing list