[Freeipa-users] FreeIPA backend. Mavericks server shows UIDs instead of usernames in File Sharing.
Chris Whittle
cwhittl at gmail.com
Thu Apr 17 20:29:32 UTC 2014
I was able to take that script and with some customizing get it to work
with Mavericks.... This should work, I tried to do a find and replace to
make it work like the github one.
On Wed, Apr 16, 2014 at 5:40 PM, Fredy Sanchez <fredy.sanchez at modmed.com>wrote:
> Sure Rob, we'll put something together and send it to you for publishing.
> Give us a few days. We'll also sanitize our enrollment package and share it
> w/ you too. This is what we use to enroll our Macs, a one time install that
> does what ipa-client-install does for Linux, including these LDAP mappings.
> We love FreeIPA and will be really happy if this helps any other users with
> Mac fleets.
>
>
> On Wed, Apr 16, 2014 at 6:12 PM, Rob Crittenden <rcritten at redhat.com>wrote:
>
>> Fredy Sanchez wrote:
>>
>>> Hi Simo,
>>>
>>> Thanks for your reply. Good old Google pointed me to
>>> https://github.com/rtrouton/rtrouton_scripts/blob/master/
>>> rtrouton_scripts/open-l
>>> dap_bind_script/Mac_OpenLDAP_bind_script.sh, which gave me the idea of
>>> updating the RealName mapping to displayName. This solved the problem,
>>> I'll have to recreate the permissions for every share, but the user
>>> names now show up, and stick. No more UIDs.
>>>
>>
>> Great. Any chance you can write something and post a howto on our wiki?
>> Or send the details to me and I'll write something up?
>>
>> thanks
>>
>> rob
>>
>>
>>>
>>> On Tue, Apr 15, 2014 at 9:30 AM, Simo Sorce <simo at redhat.com
>>> <mailto:simo at redhat.com>> wrote:
>>>
>>> On Fri, 2014-04-11 at 10:37 -0400, Fredy Sanchez wrote:
>>> > Hi all,
>>> >
>>> > We asked this same question at discussions.apple.com
>>> <http://discussions.apple.com>, but figured we'd have
>>>
>>> > better luck here. I apologize in advance if this is the wrong
>>> forum.
>>> >
>>> > We are switching from Synology (DSM 5) to Mavericks server
>>> (v3.1.1. running
>>> > in Mavericks 10.9.2) for File Sharing. We use a FreeIPA
>>> (ipa-server.x86_64
>>> > 3.0.0-37.el6) backend for SSO, and the Mac server seems
>>> correctly
>>> > bound to it. Unfortunately, although we can add usernames to the
>>> shares for
>>> > the initial config, the usernames transform to UIDs after (only
>>> for SSO
>>> > accounts; local accounts are not affected). That is, when we go
>>> to edit the
>>> > permissions for a share, all we see are UIDs. We can always
>>> figure out the
>>> > username from the UID, but this is an extra step we don't want to
>>> have.
>>> > We've tried reinstalling the Mac server app from scratch,
>>> re-binding to the
>>> > FreeIPA backend, changing mappings in Directory Utility (for
>>> example,
>>> > mapping GeneratedUID to uid, which is the username), recreating
>>> the shares
>>> > and permissions, etc. Here are more details about the binding:
>>> >
>>> > * The binding happens thru a custom package we created based
>>> primarily on
>>> >
>>> http://linsec.ca/Using_FreeIPA_for_User_
>>> Authentication#Mac_OS_X_10.7.2F10.8
>>> > * Sys Prefs, Users & Groups, Login Options show the server bound
>>> to the
>>> > FreeIPA backend with the green dot
>>> > * The following mappings are in place in Directory Utility,
>>> Services,
>>> > LDAPv3, FreeIPA backend
>>> >
>>> > Users: inetOrgPerson
>>> > AuthenticationAuthority: uid
>>> > GeneratedUID: random number in uppercase
>>> > HomeDirectory: #/Users/$uid$
>>> > NFSHomeDirectory: #/Users/$uid$
>>> > OriginalHomeDirectory: #/Users/$uid$
>>> > PrimaryGroupID: gidNumber
>>> > RealName: cn
>>> > RecordName: uid
>>> > UniqueID: uidNumber
>>> > UserShell: loginShell
>>> > Groups: posixgroup
>>> > PrimaryGroupID: gidNumber
>>> > RecordName: cn
>>> >
>>> > The search bases are correct
>>> >
>>> > * Directory Utility, Directory Editor shows the right info for
>>> the users.
>>> > * $ id $USERNAME shows the right information for the user
>>> >
>>> > FreeIPA is working beautifully for our Mac / Linux environment.
>>> We provide
>>> > directory services to about 300 hosts, and 200 employees using
>>> it; and
>>> > haven't had any problems LDAP wise until now. So we think we are
>>> missing a
>>> > mapping here. Any ideas?
>>>
>>> Fredy,
>>> I quickly tried to check for some documentation on how to configure
>>> this
>>> stuff, but found only useless superficial guides on how to find the
>>> pointy/clicky buttons to push to enable the service.
>>>
>>> I am not a Mac expert by a long shot so I cannot help you much here.
>>>
>>> Is there any guide available on how to use this service with other
>>> LDAP
>>> servers, like openLDAP or Active Directory ? We can probably draw
>>> some
>>> conclusions from there.
>>>
>>> Simo.
>>>
>>> --
>>> Simo Sorce * Red Hat, Inc * New York
>>>
>>>
>>>
>>>
>>> --
>>> Cheers,
>>>
>>> Fredy Sanchez
>>> IT Manager @ Modernizing Medicine
>>> (561) 880-2998 x237
>>> fredy.sanchez at modmed.com <mailto:fredy.sanchez at modmed.com>
>>>
>>> *Need IT support?* Visit https://mmit.zendesk.com
>>> <https://mmit.zendesk.com/>
>>>
>>> *
>>>
>>>
>>> * *
>>> *
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>
>
>
> --
> Cheers,
>
> Fredy Sanchez
> IT Manager @ Modernizing Medicine
> (561) 880-2998 x237
> fredy.sanchez at modmed.com
>
> *Need IT support?* Visit https://mmit.zendesk.com
>
> -
>
>
> -
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140417/c3fe7ab9/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: FREEIPABindScript.sh
Type: application/x-sh
Size: 7238 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140417/c3fe7ab9/attachment.sh>
More information about the Freeipa-users
mailing list